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1.1. 


1.2. 


1.3. 


1.4. 


1.5. 


Introduction 


Background. In late 2002, Congress passed the Help America Vote Act of 2002 (HAVA), which 
created the U.S. Election Assistance Commission (EAC) and vested it with the responsibility of 
setting voting system standards and for providing for the testing and certification of voting 
systems. This mandate represented the first time the Federal government provided for the 
voluntary testing, certification and decertification of voting systems nationwide. In response to 
this HAVA requirement, the EAC has developed the Voting System Testing and Certification 
Program (Program). 


Authority. HAVA requires that the EAC certify and decertify voting systems. Section 231(a)(1) of 
HAVA specifically requires the EAC to “... provide for the certification, decertification and re- 
certification of voting system hardware and software by accredited laboratories.” The EAC has 
the sole authority to grant certification or withdraw certification at the federal level, including the 
authority to grant, maintain, extend, suspend, and withdraw the right to retain or use any 
certificates, marks, or other indicators of certification. 


Scope. This manual provides the procedural requirements of the Program. Participation in the 
Program is voluntary, but if voting system manufacturers decide to participate then they must 
conform to the Program’s procedural requirements. The procedural requirements of this manual 
supersede any prior voting system certification requirements issued by the EAC. 


Purpose. The primary purpose of this manual is to provide clear procedures to manufacturers for 
the testing and certification of voting systems to the Voluntary Voting System Guidelines (VVSG) 
consistent with the requirements of HAVA Section 321(a)(1). The Program also serves to: 

e support state certification programs, 


e support local election officials in the areas of acceptance testing and pre-election system 
verification and validation, 


e increase quality control and quality assurance in voting system manufacturing, and 
e increase voter confidence in the use of voting systems. 


Manual. This manual establishes the Program’s operations and administrative requirements for 
voting system testing and certification. 


1.5.1. Maintenance and Revision. The manual will continue to be improved and expanded as 
experience and circumstances dictate. The manual will be reviewed periodically and 
updated to meet the needs of the EAC, manufacturers, voting system test laboratories 
(VSTLs), election officials, and the greater election community. The EAC is responsible for 
revising this manual, and all revisions will be made consistent with federal law. Changes 
in policy requiring immediate implementation will be noticed via policy memoranda and 
will be issued to each registered manufacturer and VSTL, and will also be posted on 
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WWW.EaC.g OV. 


1.5.2. Contents. The contents of the manual serve as an overview of the program and contains 
the following chapters: 


1. Introduction. This chapter serves as an overview to the program itself. 


2. Manufacturer Registration. This chapter provides the requirements and procedures for 
manufacturer registration. This registration provides the EAC with needed information 
and requires the manufacturer to agree to the requirements of the Program. 


3. Application Process. This chapter describes the application process for submitting a 
voting system for EAC certification. 


4. Certification Testing and Test Review. This chapter describes the required steps for voting 
system testing and review. 


5. Grant of Certification. This chapter outlines the actions that a manufacturer must take to 
receive a certificate and the manufacturer’s post-certification responsibilities. 


6. Denial of Certification. This chapter contains procedures for requesting reconsideration, 
opportunity to cure defects, and appeal. 


7. Decertification. This chapter sets procedures for decertification and explains the 
manufacturer's rights and responsibilities during that process. 


8. Quality Monitoring Program. This chapter sets forth the requirements of the Quality 
Monitoring Program. 


9. Requests for Interpretations. This chapter outlines the policy, requirements, and 
procedures for requesting an interpretation. 


10. Release of Certification Program Information. This chapter outlines the Program’s policies, 
procedures, and responsibilities associated with the public release of potentially protected 
commercial information. 


Program Description. The Program is one part of the overall conformity assessment process that 
includes companion efforts at state and local levels. The process to ensure voting systems meet 
technical requirements is a distributed, cooperative effort of federal, state, and local officials in the 
United States. Working with manufacturers, each of these officials has a unique responsibility for 
ensuring that voting systems meet specific requirements. 


1.6.1. The Program has the primary responsibility of ensuring voting systems tested and 
certified under this program conform to the VVSG. 
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1.7. 


1.8. 


1.6.2. State officials have responsibility for testing voting systems to ensure the system will 
support the specific requirements of each individual state. States may use EAC-accredited 
VSTLs to perform testing of voting systems to unique state standards while the systems 
are being tested to the VVSG. However, the EAC does not certify voting systems to state 
standards. 


1.6.3. State or local officials are responsible for deciding if an EAC-certified voting system 
complies with state laws and making the final acquisition decision based on which voting 
system offers the best fit and value for their specific state or local jurisdiction. 


Conformity Assessment, Generally. According to ISO/IEC 17000, conformity assessment is the 
"demonstration that specified requirements relating to a product, process, system, person or body 
are fulfilled.” Conformity assessments exist to protect the quality and ensure compliance with 
standards of products and services, and attempt to answer a variety of questions: 


1.7.1. What specifications need to be met for a system to be in compliance? For voting systems, the 
VVSG and its associated test assertions need to be met. States and local jurisdictions also 
have supplemental standards and legislative requirements. 


1.7.2. How are systems tested against required specifications? The Program is a central element of the 
larger conformity assessment and provides for the testing and certification of voting 
systems to versions of the VVSG adopted by EAC Commissioners and deemed current. 


1.7.3. Are the testing authorities qualified to make an accurate evaluation? The EAC accredits VSTLs, 
after the National Institute of Standards and Technology (NIST) National Voluntary Lab 
Accreditation Program (NVLAP) has reviewed, and approved, their technical competence 
and lab practices to ensure the test authorities are fully qualified. Furthermore, the EAC 
reviews and approves all test plans and test reports from VSTLs to ensure an accurate and 
complete evaluation. 


1.7.4. Will manufacturers deliver units within manufacturing tolerances equivalent to those tested? This 
manual requires manufacturers to have appropriate change management and quality 
control processes to monitor the quality and configuration of their products. The Program 
provides mechanisms for the EAC to verify manufacturer quality processes through field 
system testing and manufacturing site audits. States have implemented policies for 
acceptance of delivered units. 


Test Assertions. Many of the VVSG requirements focus on design at a high level and may be 
open to interpretation. In order to thoroughly test these requirements, manufacturers and VSTLs 
need the ability to break down each VVSG requirement into unambiguous, specific, and testable 
conditions. Test assertions are a method to accomplish this. The test assertions contain granular 
conditions that must be tested to determine conformance to specific VVSG requirements. The 
overall goal of the assertions is to ensure that the VSTLs test each requirement in the VVSG 
correctly and comprehensively. EAC staff will regularly review and revise the test assertions with 
feedback from VSTLs, manufacturers, election officials, NIST, and other stakeholders and will 
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make recommendations to the Executive Director for final approval. 


1.9. Program Personnel. All EAC personnel and contractors associated with this program are held to 
the highest ethical standards. All agents of the EAC involved in the Program are subject to 
conflict-of-interest reporting and ethics review, consistent with federal law and regulation. 


1.10. Program Records. The Program Director is responsible for maintaining accurate records to 
demonstrate that the Program procedures have been effectively fulfilled and to ensure the 
traceability, repeatability, and reproducibility of testing. All records are maintained, managed, 
secured, stored, archived, and disposed of in accordance with federal law, federal regulations, 
and procedures of the EAC. 


1.11. Submission of Documents. Any documents submitted pursuant to the requirements of this 
manual must be submitted: 

e Inasecured PDF file, formatted to protect the document from alteration with a proper 
signature when required by this manual. Documents requiring an authorized signature may 
be signed with an electronic representation or image of the signature of an authorized 
management representative and must meet any and all subsequent requirements established 
by the Program Director regarding security. 


e Via secure e-mail or other secure file transfer methods, if sent electronically, or physical 
delivery of a compact disk or other digital media deemed acceptable by the EAC, unless 
otherwise specified. 


e By certified mail or similar means with tracking. If sent via physical delivery, to the following 
address: 
U.S. Election Assistance Commission 
Attn: Testing and Certification Program Director 
633 3rd Street NW, Suite 200 
Washington, DC 20001 


1.12. Receipt of Documents — Manufacturer. For purposes of this manual, a document, notice, or other 
communication is considered received by a manufacturer upon its physical or electronic arrival at 
the manufacturer’s main office. 


1.13. Receipt of Documents — EAC. For purposes of this manual, a document, notice, or other 
communication is considered received by the EAC upon its physical or electronic arrival at the 
agency. All documents received by the agency will be physically or electronically date stamped 
and this stamp will serve as the date of receipt. 


1.14. EAC Response Timeframes. In recognition of the responsibilities and challenges facing 
manufacturers as they work to meet the requirements imposed by this Program, state certification 
programs, customers, state law and production schedules, the EAC will publish timeframes for its 
response to significant program elements. 
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1.16. 


1.17. 


Records Retention — Manufacturers. The manufacturer is responsible for ensuring all documents 
submitted to the EAC, or that otherwise serve as the basis for the certification of a voting system, 
are retained. A copy of all such records must be retained if a voting system is offered for sale or 
supported by a manufacturer and for five years thereafter. 


Record Retention — EAC. The EAC retains all records associated with the certification of a voting 
system if such system is fielded in a state or local election jurisdiction for use in federal elections. 
The records will otherwise be retained or disposed of consistent with federal statutes and 
regulations. 


Publication and Release of Documents. The EAC releases documents consistent with the 
requirements of federal law. It is EAC policy to make the certification process as transparent as 
possible. Any documents (or portions thereof) submitted under this Program are made available 
to the public unless specifically protected from release by law. All submitted documentation must 
utilize the least restrictive markings possible. The primary means for making this information 
available is through www.eac.gov. 
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2.1. 


2.2. 


Manufacturer Registration 


Overview. Manufacturer registration is the process by which manufacturers make initial contact 
with the EAC, provide essential information, and agree to requirements in order to participate in 
the Program. The manufacturer must be registered before it can submit an application to have a 
voting system tested by the EAC. The manufacturer will receive an identification code after 
successfully registering. Registration does not constitute an EAC endorsement of the 
manufacturer or its products nor is it a certification of that manufacturer’s products. 


Registration Requirements. The registration process requires the manufacturer to provide 
information to the EAC, which is necessary to enable the EAC to administer the program and 
communicate effectively with the manufacturer. The registration process also requires the 
manufacturer to agree to Program requirements, which relate to the manufacturer’s duties and 
responsibilities under the Program. 


Manufacturing facilities for commercial off-the-shelf (COTS) components, software, and plastic 
modeling facilities are not included in this definition and need not be reported to the EAC. The 
EAC reserves the right to request additional information from manufacturers related to the 
manufacturing process, including manufacturing facilities for the benefit of the Program. 


Manufacturers must report all current facilities. If manufacturing is not in progress at the time of 
a manufacturer’s submission of their registration package to the EAC, the manufacturer must 
report the last manufacturing facility which meets the definitions in this section. Manufacturers 
should also be aware that the reporting requirement is continuous and that when new 
manufacturing facilities are engaged, the registration package submitted to the EAC must be 
updated to reflect the new facilities as required by Section 2.5.2 of this manual. 

Manufacturers are required to provide the following information. 

2.2.1. The official name of the manufacturer. 


2.2.2. The address of the manufacturer's official place of business. 


2.2.3. A description of how the manufacturer is organized (i.e., type of corporation or 
partnership). 


2.2.4. Names of officers and/or members of the board of directors. 


2.2.5. Names of all partners and members (if organized as a partnership or limited liability 
corporation). 


2.2.6. Identification of any individual, organization, or entity with a controlling ownership 
interest (51% or more) in the manufacturer. 
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221: 


2.2.8. 


2.2.9. 


2.2.10. 


2.2.11. 


2.2.12. 


The name and contact information (telephone number, email address, and manufacturer's 
physical address) of the manufacturer’s management representative 


The name and contact information (telephone number, email address, and manufacturer's 
physical address) of the manufacturer’s technical representative 


The manufacturer’s written policies regarding its quality assurance system, consistent 
with guidance provided by this manual. 


The manufacturer’s written policies regarding internal procedures for controlling and 
managing changes to, and versions of, its voting systems., consistent with guidance 
provided by this manual. 


The manufacturer’s written policies on document retention, consistent with guidance 
provided by this manual. 


A list of all manufacturing facilities and the name and contact information of a person at 
each facility. 


Agreements. Manufacturers are required to take or abstain from certain actions to protect the 
integrity of the certification program and promote quality assurance, and are required to agree to 


the following program requirements: 


2.0L, 


Dis 


2.3. 


2.3.4. 


2.0.0. 


23:0; 


Adhere to all procedural requirements of this manual. 


Participate in a kick-off meeting at the beginning of a new certification effort. The 
purposes of these meetings are to have an in-depth discussion of the candidate voting 
system and allow both the EAC and VSTL staff to have a live, hands-on demonstration of 
the voting system. The duration of this meeting will be mutually agreed upon by all 
parties. 


Represent a voting system as certified only when it is authorized by the EAC, marketed 
and deployed in an EAC-certified configuration, and is consistent with the procedures and 
requirements of this manual. 


Produce and affix an EAC certification label to all production units of the certified system 
that must meet the requirements set forth in Chapter 5 of this manual. 


Notify the EAC of changes to any system previously certified by the EAC pursuant to the 
requirements of this manual (see Chapter 3). Such systems must be submitted for testing 


and additional certification when required. 


Permit an EAC representative to verify the manufacturer’s quality control by cooperating 
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2.3.7. 


2o8s 


Ded. 


2.3.10. 


2.3.11. 


with EAC efforts to test and review fielded voting systems consistent with Section 8.6 of 
this manual. 


Permit an EAC representative to verify the manufacturer’s quality control by conducting 
periodic inspections of manufacturing facilities consistent with Chapter 8 of this manual. 


Cooperate with any EAC inquiries and investigations into a certified system’s compliance 
with the VVSG or the procedural requirements of this manual consistent with Chapter 7. 


Report to the Program Director all malfunctions of a fielded voting system. A malfunction 
is a failure of a voting system, not caused solely by operator or administrative error, which 
impairs the confidentiality, integrity, or availability of the voting system. Initial 
malfunction reports must identify the location, nature, date, impact, and status of 
resolution (if any) of the malfunction and be filed within 15 business days of occurrence. 
Final malfunction reports must be submitted to the EAC after the root cause of the 
malfunction has been determined and a permanent fix developed. 


Report to the Program Director the names of each state and local jurisdiction using a 
voting system within five business days of delivery of the first production unit of the 
voting system to the jurisdiction. 


Certify the entity is not barred or otherwise prohibited by statute, regulation, or ruling 
from doing business in the United States. 


Registration Process. Registration is accomplished through use of the EAC registration form. 
After the EAC has received a registration form and other required registration documents, the 
Program Director must review the information for completeness before approval. 


2.4.1. 


Application Process. To become a registered manufacturer, interested parties must apply 
by submitting a Manufacturer Registration Application form that can be found at 
www.eac.gov. This form is used as the means for the manufacturer to provide the 
information and agree to the responsibilities required in Section 2.3. 


2.4.1.1 Application Form. In order for the EAC to accept and process the registration form, 
the applicant must adhere to the following requirements: 


e All fields must be completed by the manufacturer. 
e All required attachments prescribed by the form and this manual must be 
identified, completed, and forwarded within 30 business days to the EAC (e.g., 


manufacturer’s quality control and system change policies). 


e The application form must be affixed with the handwritten signature (or a 
digital representation of the handwritten signature) of the authorized 
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2.5. 


2.6. 


2.4.1.2 


manufacturer representative. 


Availability and Use of the Form. The manufacturer Registration Application Form 
may be accessed at www.eac.gov. Instructions for completing and submitting the 
form are included on the website along with contact information regarding 
questions about the form or the application process. 


2.4.2 EAC Review Process. 


2.4.2.1 


2.4.2.2 


2.4.2.3 


24.2.4 


After the application form and required attachments have been submitted, the 
applicant will receive an acknowledgement that the EAC has received the 
submission and that the application will be processed. 


If an incomplete form is submitted, or an attachment is not provided, the EAC will 
notify the manufacturer and request the omitted information. Registration 
applications will not be processed until they are deemed complete. 


Upon receipt of the completed registration form and accompanying 
documentation, the EAC will review the information for sufficiency. If the EAC 
requires clarification or additional information, the EAC will contact the 
manufacturer and request the needed information. 


Upon the determination that an application has been satisfactorily completed, the 
Program Director will notify the manufacturer that it has been registered. 


Registered Manufacturers. After a manufacturer has received notice that it is registered, it is 
eligible to participate in the program. Manufacturers will be issued a unique, three-letter 
identification code that is used to identify the manufacturer and its products. Manufacturers are 
required to keep all registration information up to date. Manufacturers must submit a revised 
application form to the EAC within 30 days of any changes to the information required on the 
application form. Manufacturers will remain registered participants in the program during this 
update process. The EAC will add the manufacturer to the EAC’s listing of registered 
manufacturers that is publicly available at www.eac.gov. 


Suspension of Registration. Manufacturers are required to establish policies and operate within 
the Program consistent with the procedural requirements presented in this manual. If 


manufacturers violate the Program’s requirements by engaging in activities inconsistent with this 


manual or failing to cooperate with the EAC, their registration may be suspended until such time 
as the issue is remedied as determined by the Program Director. 


2.6.1 Procedures. If a manufacturer’s activities violate the procedural requirements of this 


manual, the Program Director must notify the manufacturer of its violations, give the 
manufacturer an opportunity to respond, and provide the recommendations to bring the 
manufacturer into compliance. 
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2.6.1.1. Notice. Manufacturers will be provided written notice that they have taken action 
inconsistent with or acted in violation of the requirements of this manual. The 
notice will state the violations and the specific steps required to cure them and will 
provide manufacturers with 30 calendar days to respond to the notice and/or cure 
the defect. 


2.6.1.2. Manufacturer Action. The manufacturer is required to either respond within 10 
business days to the notice (demonstrating it was not in violation of Program 
requirements) or cure the identified violations within a time frame prescribed by 
the Program Director. The steps required to cure a violation include addressing the 
direct violation and the underlying root cause. In any case, the manufacturer's 
action must be approved by the Program Director to prevent suspension. 


2.6.1.3. Suspension. If the manufacturer fails to respond within 10 business days, is unable 
to provide a cure or response that is acceptable to the Program Director, or refuses 
to cooperate, the Program Director must issue a notice of suspension. The 
suspension must be provided in writing and must inform the manufacturer of the 
steps available to remedy the violations and lift the suspension. 


Effect of Suspension. A suspended manufacturer may not submit a voting system for 
certification under this Program. This prohibition includes a ban on the submission of 
modifications and changes, including minor changes, to a certified system. A suspension 
remains in effect until lifted by the Program Director. Suspended manufacturers will have 
their registration status reflected on www.eac.gov. Manufacturers have the right to 
remedy a noncompliance issue at any time and lift a suspension consistent with EAC 
guidance. Failure of a manufacturer to follow the requirements of this section may also 
result in decertification of voting systems consistent with Chapter 7 of this manual. 
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3.1. 


3.2. 


3.3. 


Application Process 


Overview. An EAC certification signifies that a voting system has been tested and determined to 
conform to the VVSG. Voting systems must be submitted for testing under this program to receive 
EAC certification. Systems may be submitted when (1) they are new and ready for the 
marketplace, (2) they have never received EAC certification, (3) they are a modified version of a 
previously certified system, or (4) the manufacturer wishes to test a previously certified system to 
a newer standard. This chapter discusses the submission of minor change orders, which may not 
require additional testing and certification, and outlines pre-election emergency waivers. 


EAC Certification. Certification is the process by which the EAC, through testing and evaluation 
conducted by an accredited VSTL, validates that a voting system meets the requirements set forth 
in the VVSG, and performs according to the manufacturer's specifications for the system. An EAC 
certification may be issued only by the EAC in accordance with the procedures presented in this 
manual. Certifications issued by other bodies (e.g., NASED and State certification programs) and 
state certification authorities (e.g., State Board of Elections) are not EAC certifications. 


The Program is designed to test and certify electromechanical and electronic voting systems to the 
VVSG that are available at www.eac.gov. The EAC must communicate which version(s) of the 
VVSG it accepts as the basis for testing and certification. This effort may be accomplished through 
the setting of a date for a particular version’s applicability, the setting of a date by which testing 
to a particular version is mandatory, or the setting of a date by which the EAC will no longer test 
to a particular standard. This date may differ between new systems and those being modified. 
The EAC only certifies those voting systems tested to the VVSG that the EAC has identified as 
valid for certification. 


When the EAC has authorized the option of certification to more than one version of the VVSG, 
the manufacturer must choose which version to have its voting system tested against, subject to 
EAC agreement. The voting system will then be certified to that version of the VVSG upon 
successful completion of testing. Manufacturers must ensure all applications for certification 
identify a particular version of the VVSG. 


Emerging Technologies. If a voting system or component is eligible for a certification under this 
program and employs technology that is not addressed by a currently accepted version of the 
VVSG, the relevant technology will be subjected to full integration testing and will be tested to 
ensure that it operates to the manufacturer's specifications and that the proper security risk 
assessments and quality assurance processes are in place. The Technology Testing Agreement 
(TTA) process described below is intended to provide additional clarification and guidance to 
enhance the testing and certification process for voting systems incorporating new or emerging 
technology. The remainder of the system must be tested to the applicable VVSG requirements. 


3.3.1. TTA Process 
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3.3.3. 


The manufacturer must contact the Program Director as early as possible in their design 
and development process to have a general discussion regarding new or emerging 
technology in any voting system product. A formal request for a TTA Meeting must be (1) 
clearly identified as such and (2) submitted electronically or physically via secure means 
to the Program Director. The EAC expects that the submission will be as detailed as design 
and development allow, but must include the following items: 


e Description of the product, highlighting elements involving new technologies, testable 
requirements, and other testing protocol issues. This description should include, at a 
minimum: 

o General product description 
o Engineering drawing(s) 
o Product composition/key components/materials 

e Device specifications 

e Analysis of potential failure modes and threat model/risk analysis 

e Outline of the proposed conditions of use 

e Summary of instructions for use of the product (voter and poll worker/election official) 


e Relevant performance information on the product, especially if routinely used in other 
industries. This information may include: 


o Published and/or unpublished data 
o Summary of test data 


o Summary of prior user experience. 


Prior to the formal TTA Meeting, the manufacturer must arrange for a preliminary 
meeting to review the submitted information and discuss any additional questions that 
may arise prior to the actual formal TTA Meeting. The manufacturer may then submit any 
additional information as required and finalize the date and time for formal TTA Meeting 
with the EAC and VSTL. 


TTA Meetings should be scheduled for approximately four hours or longer depending on 
the complexity of the issues to be discussed. The EAC and VSTL staff may raise any 
questions for the manufacturer about the product but should be focused on the key issues 
of the product's test plan development and testing that ultimately leads to the TTA. 


3.3.3.1 Post TTA Meeting Activities 
e At the end of the meeting, the Program Director will summarize the 
agreement(s) or explain any reasons for tabling the agreement(s), including 
the date of any follow-up meeting, if appropriate, and action items 
determined during the meeting. A record of attendees and minutes of the 
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meeting will be kept by both a designated EAC staff member and 
manufacturer representative. 


e The Program Director will prepare a memorandum outlining the TTA. Within 
10 business days of the meeting, a draft of the memorandum will be circulated 
for comment among all TTA Meeting participants. The final memorandum 
will be signed by the Program Director and conveyed to the applicant and 
VSTL within five business days of the receipt of final comments. 


3.3.4. Significance of an EAC Certification. An EAC certification is an official recognition that a 
voting system (in a specific configuration or configurations) has been tested by a VSTL to 
be in conformance with an identified set of VVSG requirements. An EAC certification is 
not: 

e An official endorsement of a manufacturer, voting system, or any of the system’s 
components. 


e A federal warranty of the voting system or any of its components. 


e A substitute for state or local certification and testing. State and local voting system 
certification activities play a major role in ensuring voting equipment adheres to 
state and local election law. 


e A determination that any component of a certified system is itself certified for use 
outside the certified configuration. 


3.4. Voting System Certification. Manufacturers must submit a voting system for testing under this 
program to obtain EAC certification. Such action is usually required for: 


(1) new systems not previously tested to any version of the VVSG; 

(2) existing systems not previously certified by the EAC; 

(3) previously certified systems that have been modified; 

(4) systems or technology specifically identified as requiring retesting by the EAC; or 


(5) previously certified systems that the manufacturer seeks to upgrade to a newer version of the 
VVSG. 


3.4.1. New System Certification. For purposes of this manual, new systems are defined as voting 
systems that have not been previously tested to the VVSG version(s) currently accepted 
for testing and certification by the EAC. New voting systems must be fully tested and 
submitted to the EAC according to the requirements of Chapter 4 of this manual. 


3.4.2. System Not Previously EAC-Certified. This term describes any voting system not 
previously certified by the EAC, including systems tested by EAC-accredited VSTLs 
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3.4.3. 


3.4.4. 


outside of the EAC’s certification program, or systems previously tested and denied 
certification by the EAC. Such systems must be fully tested and submitted to the EAC 
according to the requirements of Chapter 4 of this manual. 


Modification. A modification is any change to a previously EAC-certified voting system’s 
hardware, software, or firmware that is not a minor change and does not add or remove 
components of the system. For example, replacing a precinct count scanner with an 
updated or new model would be considered a modification but adding central count 
scanner to a system configuration that did not previously contain it would not. Any 
modification to a voting system requires testing and review by the EAC according to the 
requirements listed in Chapter 4 of this manual. 


EAC Identified Systems. Manufacturers may be required to submit systems previously 
certified by the EAC for re-testing. This may occur when the EAC determines that the 
original tests conducted on the voting system are now insufficient to demonstrate 
compliance with federal standards considering newly discovered threats or information. 


3.5. Changes to Voting Systems in the EAC Certification Program — Change Order. 
A change order is a change to a previously EAC-certified voting system’s hardware, software, 
documentation, or data. Such changes require VSTL review and endorsement and EAC 
approval. Any proposed change that does not meet this definition is a modification and must be 
submitted for testing and review consistent with the requirements of this manual. 


A change order does not apply to a system under test. Any changes made to a system under test 
are considered part of the test campaign. A single change order can be applied to multiple 
systems if a VSTL reviews and approves the change order for each EAC-certified system. 


3.5.1. 


Minor Change — Defined. A minor change is a change to a certified voting system’s 
hardware, software, technical data package (TDP), or data, the nature of which does not 
alter the system’s reliability, functionality, capability, or operation as detailed in section 
3.5.1. Under no circumstance is a change considered minor if it has reasonable and 
identifiable potential to impact the system’s performance and compliance with the 
applicable VVSG. 


e General Characteristics of minor software changes. Minor software changes should have 
the following general characteristics: 
o update a discrete component of the system and do not impact overall system 
functionality, 
o donot modify the counting or tally logic of a component or the system, 


o donot affect the accuracy of the component or system, 


o do notnegatively impact the functionality, performance, accessibility, usability, 
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safety, or security of a component or system, 


o donot alter the overall configuration of the certified system (e.g. adding ballot 
marking device functionality to a previously certified direct recording electronic 
(DRE) component), and 


o canbe reviewed and/or tested by VSTL personnel in a short amount of time 
(approximately less than 100 hours). 


Minor Change — Procedure. Manufacturers who wish to implement a proposed minor 
change must submit it for VSTL review and endorsement and EAC approval. A proposed 
minor change may not be implemented as such until it has been approved in writing by 
the EAC. 


3.5.2.1 VSTL Review. Manufacturers must submit any proposed minor change to a VSTL 
and the EAC for review and endorsement. The manufacturer must provide the 
VSTL: 
e a detailed description of the change, 


e a description of the facts giving rise to or necessitating the change, 


e the basis for its determination that the change does not alter the system’s 
reliability, functionality, or operation, 


e¢ upon request of the VSTL, a sample voting system at issue or any relevant 
technical information needed to make the determination, 


e documentation of any potential impact to election officials currently using the 
system and any required notifications to those officials, 


e a description of how this change impacts any relevant system documentation, 
and 


e any other information the EAC or VSTL needs to make a determination. 


The VSTL must review the proposed minor change and make an independent 
determination as to whether the change meets the definition of minor change or 
requires the voting system to undergo additional testing as a system modification. 
If the VSTL determines that a minor change is appropriate, it must endorse the 
proposed change as a minor change. If the VSTL determines that modification 
testing and certification should be performed, it must reclassify the proposed 
change as a modification. Endorsed minor changes must be forwarded to the 
Program Director for final approval. Rejected changes must be returned to the 
manufacturer for resubmission as system modifications. 
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3.5.2.2 VSTL Endorsed Changes. The VSTL must forward any change it has endorsed as 
minor to the EAC in a package that includes: 


The manufacturer’s initial description of the minor change, a narrative of facts 
giving rise to, or necessitating, the change, and the determination that the 
change does not alter the system’s reliability, functionality, or operation. 


The written determination of the VSTL’s endorsement of the minor change. 
The endorsement document must explain why the VSTL, in its engineering 
judgment, determined that the proposed minor change met the definition in 
this section and otherwise does not require additional testing and certification. 


The validated hashes, trusted builds, and version listing for all software 
modules changed. 


3.5.2.3 EAC Action. The EAC must review all proposed minor changes endorsed by a 
VSTL. The EAC has sole authority to determine whether any VSTL endorsed 
change constitutes a minor change under this section. The EAC must inform the 
manufacturer and VSTL of its determination in writing. 


If the EAC approves the change as a minor change, it must provide written 
notice to the manufacturer and VSTL. The EAC must track and maintain copies 
of all approved minor changes 


If the EAC determines that a proposed minor change cannot be approved, it 
must inform the VSTL and manufacturer of its decision. The proposed change 
is considered a modification and require testing and certification consistent 
with this manual. Minor changes cannot be made to voting systems currently 
undergoing testing; these changes are merely adjustments to an uncertified 
system 


3.6 Changes to Voting Systems in the EAC Certification Program - Modification. 


3.6.1 


Modification Procedure. Once a manufacturer has submitted a modification application, a 
test plan must be created and submitted to the EAC for the test plan review process. Any 
modification is subject to full testing of the modifications (delta testing) and those systems 
or subsystems altered or impacted by the modification (regression testing). The system is 
also subject to system integration testing to ensure overall functionality. Once testing is 
completed, a test report must be generated by the VSTL and submitted to the EAC for 
approval. 


EAC Approval. If the EAC approves the change as a modification, it must provide written 
notice to the manufacturer and VSTL and generate a Certificate of Conformance. The EAC 
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must track and maintain copies of all approved modifications. 


3.6.3 EAC Denial. If the EAC determines that a modification cannot be approved, it must 
inform the VSTL and manufacturer of its decision. The Denial of Certification appeals 
process would govern this testing campaign. 


3.6.4 Modification Change — Effect of EAC Approval. EAC approval of a modification permits 


the manufacturer to implement the proposed change. Fielding a change not approved by 
the EAC is a basis for system decertification and suspension of manufacturer registration. 


Provisional, Pre-Election Emergency Modification. The EAC has developed a provisional 
modification process to address extraordinary pre-election emergency situations. This process is 
to be used only for the emergency situations indicated and only when there is a clear and 
compelling need for temporary relief until the regular certification process can be followed. 


3.7.1 


Oe 


Purpose. The purpose of this section is to allow for a mechanism within the Program 
for manufacturers to modify EAC-certified voting systems in emergency situations 
immediately before an election. This situation arises when a modification to a voting 
system is required and an election deadline is imminent, preventing the completion of 
the full certification process (and state and/or local testing process) prior to Election 
Day. In such situations, the EAC may issue a waiver to the manufacturer authorizing 
it to make the modification without submission for modification testing and 
certification. The modification must be tested after the election. 

General Requirements. A request for an emergency modification waiver must be made 
by a manufacturer only in conjunction with the state election official whose 
jurisdiction(s) would be adversely affected if the requested modification were not 
implemented before Election Day. Requests must be submitted at least five calendar 
days before an election. To receive a waiver, a manufacturer must demonstrate the 
following: 


e The modification is functionally or legally required; that is, the system cannot be 
fielded in an election without the change. 


e The voting system requiring modification is needed by state or local election 
officials to conduct a pending federal election. 


e The voting system to be modified has previously been certified by the EAC. 

e The modification cannot be tested by a VSTL and submitted to the EAC for 
certification, consistent with the procedural requirements of this manual, at least 
60 days before the pending federal election. 


e Relevant state law requires federal certification of the requested modification. 


e The manufacturer must provide an attestation stating that the modification 
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properly functions as designed, is suitably integrated with the system, and does 
not negatively affect system reliability, functionality, or accuracy. 


The manufacturer (through a VSTL) has completed as much of the evaluation 
testing as possible for the modification and has provided the results of such testing 
to the EAC. 


The emergency modification is required and supported by a state’s chief election 
official seeking to field the voting system in an impending federal election. 


Request for Waiver. A manufacturer’s request for waiver must be made in writing to 
the Decision Authority and must include the following elements: 


A signed statement providing sufficient description, background, information, 
documentation, and other evidence necessary to demonstrate that the request for a 
waiver meets each of the requirements stated in Section 3.6. 


A signed statement from a state’s chief election official requiring the emergency 
modification. This signed statement must identify the pending election creating the 
emergency situation and attest that (1) the modification is required to field the 
system, (2) state law (citation) requires EAC action to field the system in an 
election, and (3) normal timelines required under the Program cannot be met. 


A signed statement from a VSTL stating there is insufficient time to perform 
necessary testing and complete the certification process. The statement must also 
state what testing the VSTL has performed on the modification to date, provide the 
results of such tests, and state the schedule for the completion of testing. 


A detailed description of the modification, the need for the modification, how it 
was developed, how it addresses the need for which it was designed, its impact on 
the voting system, and how the modification will be fielded or implemented in a 
timely manner consistent with the manufacturer’s quality control program. 


All documentation of tests performed on the modification by the manufacturer, a 
laboratory, or other third party. 


A written agreement signed by the manufacturer’s representative agreeing to take 
the following action: 
Submit for testing and certification, consistent with Chapter 4 of this manual, any 
voting system receiving a waiver under this section that has not already been 
submitted. This action must be taken immediately. 


Abstain from representing the modified system as EAC-certified. The modified 


system has not been certified; rather, the originally certified system has received 
a waiver providing the manufacturer a temporary exemption allowing its 
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modification. States must determine if this meets state and local law. 


e Submit a report to the EAC regarding the performance of the modified voting 
system within 60 days of the federal election that served as the basis for the 
waiver. This report must, at a minimum, identify and describe any performance 
failures, technical failures, security failures, and/or accuracy problems. 


EAC Review. The EAC must review all waiver requests submitted in a timely manner 


and make determinations regarding the requests. Incomplete requests will be returned for 


resubmission with a written notification regarding its deficiencies. 


3.7.5. 


a7; 


3.7.7. 


3.7 3: 


Letter of Approval. If the EAC approves the modification waiver, the Decision Authority 
must issue a letter granting the temporary waiver within five business days of receiving a 
complete request. 


Effect of Grant of Waiver. An EAC grant of waiver for an emergency modification is not 
an EAC certification of the modification. Waivers under this program grant manufacturers 
leave to only temporarily amend previously certified systems without testing and 
certification for the specific election noted in the request. Without such a waiver, such 
action would ordinarily result in decertification of the modified system (See Chapter 7). 
Systems receiving a waiver must satisfy any state requirement that a system be nationally 
or federally certified. 


3.7.6.1. All waivers are temporary and expire sixty (60) days after the Federal election for 
which the system was modified, and the waiver granted. 


3.7.6.2. Any system granted a waiver must be submitted for testing and certification. This 
must be accomplished as soon as possible. 


3.7.6.3. The grant of a waiver does not predispose the modified system to being granted a 
certification. 


Denial of Request for Waiver. A request for waiver may be denied by the EAC if the 
request does not meet the requirements noted above, fails to follow the procedure 
established by this section, or otherwise fails to sufficiently support a conclusion that the 
modification at issue is needed, functions properly, and is in the public interest. A denial 
of a request for an emergency modification by the EAC is final and not subject to appeal. 
Manufacturers may submit for certification, consistent with Chapter 4 of this manual, 
modifications for which emergency waivers were denied. 


Publication Notice of Waiver. The EAC must post relevant information relating to the 
temporary grant of an emergency waiver on www.eac.gov including information 
concerning the limited nature and effect of the waiver. This information will be removed 
upon the waiver’s expiration. 
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4.1 


4.2 


Certification Testing and Technical Review 


Overview. This chapter discusses the procedural requirements for submitting a voting system to 
the EAC for testing and review. In order to receive EAC certification for a voting system, a 
registered manufacturer must: (1) submit an application for certification, (2) have a VSTL submit 
an EAC-approved test plan, (3) have a VSTL test a voting system to the VVSG, and (4) have a 
VSTL submit a test report to the EAC for technical review and approval. The result of this process 
is a final decision on certification. 


Certification Application. Manufacturers must submit an application package that designates if 
the application is for a new or modified voting system. EAC approval is required prior to 


conducting any testing. Any testing occurring after the execution of a contract or agreement for 
certification testing (not including the Test Readiness Review) between a VSTL and a registered 
manufacturer is presumed to be certification testing. The application information includes: 


4.2.1 


4.2.2 


4.2.3 


4.2.4 


4.2.5 


4.2.6 


4.2.7 


Voting system designation. The manufacturer must designate if the voting system is a new 
or modified system. 


Manufacturer information. Identification of the manufacturer (name and three-letter 
identification code). 


Selection of accredited laboratory. Selection and identification of the VSTL that will 
perform voting system testing and other prescribed laboratory action consistent with the 
requirements of this manual. Once selected, a manufacturer may not replace the selected 
VSTL without the express written consent of the Program Director. Such permission is 
granted solely at the discretion of the Program Director and only upon demonstration of 
good cause. 


VVSG information. Identification of the VVSG version to which the manufacturer wishes 
to have the identified voting system tested and certified. 


Voting system identification. Manufacturers must identify the system submitted for 
testing by providing its name and version number. Separate identification of each device 
that is part of the voting system including all COTS components. A keyboard, mouse, 
accessibility peripheral, or printer connected to a programmed voting device, as well as 
any optical drive, hard drive or similar component installed within it, are considered 
components of the voting device, not separate devices. 


Voting variations. The manufacturer must identify the voting variations supported by the 
voting system. These variations are listed in the applicable VVSG documentation. 


Language support. The electronic display or printed document on which the user views 
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4.2.8 


4.2.9 


4.2.10 


4.2.11 


4.2.12 


4.2.13 


4.2.14 


4.2.15 


the ballot must be capable of rendering an image of the ballot in any of the languages 
required by the Voting Rights Act of 1965, as amended. 


List of accessibility capabilities. The manufacturer must provide a detailed explanation of 
the accessibility capabilities present in their system beyond those required by the version 
of VVSG the system is being evaluated against and that the manufacturer wishes to 
include as part of the certified configuration. 


Device capacities and limits. For each voting system component, capacities and limitations 
must be listed such as: 

e Size of ballots readable by optical scan components 

e Scan rate for each size of ballot readable by optical scan components 

e Total number of precincts and/or precinct splits programmable for each device 


Coding convention. Each voting system component must have a single coding convention 
selected for every programming language used in the voting system. This information 
must include: 

e System Component 

e Language Used 

e Specified Coding Convention 

e Source of Coding Convention 


Functional diagrams. Diagram(s) that display all components and how the components 
relate and interact in each configuration. 


Modification (only). An application for modification must include: 

e Modified system components 

e Component version numbers 

e Detailed description of the change(s) 

e Listing of all TDP documents impacted by the change 

e Usability impact 

e Functional diagram(s) that display all components and how the components relate and 
interact in each configuration if impacted by modification. 


Certification number. The manufacturer must provide the desired EAC certification 
number. 


Date submitted. The manufacturer must note the date the application was submitted for 
EAC approval. 


Signature. The manufacturer must affix the signature of the authorized management 
representative. 


23 


EAC Voting System Testing and Certification Program Manual, Version 3.0 


4.3 Submission of the Application Package. The manufacturer must submit the application form 


4.4 


4.5 


and the required additional information to the Program Director. Applications and accompanying 
documentation must be submitted in PDF or another electronic format as prescribed by the 
Program Director. Applications must pass all accessibility checks prior to acceptance by the EAC. 


EAC Review. Upon receipt of a manufacturer’s application package, the EAC must review the 
submission for completeness and accuracy. The manufacturer must be notified of acceptance or 
rejection of the application package within five business days of the EAC’s receipt of the 
application. If the application package is incomplete or inaccurate, the EAC must return it to the 
manufacturer with instructions for resubmission. If the form submitted is acceptable, the 
manufacturer will be notified and assigned a unique application number. 


Penetration Testing. 


4.5.1 Overview: The EAC recognizes the need for robust voting system security testing in its 
Testing and Certification Program. To meet this goal, penetration testing is used to help 
assess the security posture of voting systems entering the EAC’s Testing & Certification 
program. 


4.5.2 Purpose: The purpose of EAC’s new penetration testing efforts are: 


e Identify architecture, design and implementation flaws that may not be detected using 
the conformance testing required by the VVSG. This includes identifying: 

e Systemic functional, reliability, and security flaws can be exploited to change the 
outcome of an election, provide erroneous results for an election, cause an 
unacceptable denial of service, compromise ballot secrecy, or modify the audit 
trail. 


e Malicious software or firmware that may have been introduced in order to change 
the outcome of an election, to provide erroneous results for an election or to deny 
services to voters. 


e Penetration testing can be resource intensive and the penetration test must not be open 
ended nor introduce unacceptable delays into the certification process. 
e Ensure the security testing performed as part of the EAC’s Voting System Testing 
and Certification Program is utilizing a standardized security analysis 
methodology approved by the EAC. 


e Recognize that cybersecurity is a process that requires regular review to ensure 
new flaws do not surface or are newly introduced. Regular assessment can 


leverage the minor change process for software updates and patches. 


4.5.3 General Requirements: The following are a list of requirements for the penetration testing 
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4.5.4 


4.5.5 


performed under the Testing & Certification Program: 
e All submitted voting systems are subject to penetration testing. 
e The scope is limited to voter facing devices and vote tabulation software and 
hardware. 
e Unmodified components of a voting system may not be subject to 
penetration testing at the discretion of the EAC. 


e The VSTL must develop a team based on the personnel qualifications and 
requirements introduced below. 


Qualifications for Individuals Performing Testing: To perform testing, a team of 
penetration testers with knowledge in specific areas is required. All teams must have 
expertise in 3 distinct disciplines: penetration testing, software testing, and election 
technology and administration. 


4.5.4.1 Penetration Testing Personnel. The following education and experience requirements 
must be met: 

e Certifications: Holds a penetration testing related industry certification. 

e = Skills: 
e Familiarity with penetration testing methodologies, 
e Hands-on knowledge of vulnerability scanning, system exploitation, 

reconnaissance, hardware exploitation, and wireless tools, and 

e Ability to design/run tests and evaluate/report findings. 


Prerequisites 
e The testers must have voting system hardware and documentation available. 


e The voting system must be configured exactly how it is documented by the 
manufacturer in how it is to be used in elections. The impact of accidental 
misconfiguration is outside the scope of penetration testing. This should be 
analyzed as part of security configuration and vulnerability analysis as mandated 
by VVSG 2.0 14.2-N (Known vulnerabilities) and 14.2-G (Secure configuration and 
hardening). 


4.5.6 Procedure. The penetration testing report must be submitted by the manufacturer to EAC 


4.5.7 


as part of the Test Readiness Review. In general, penetration testing will occur in two 
phases: 


e Phase I - Pre-Testing Assessment 
e Phase II — Penetration Testing 


Pre-Testing Assessment. The purpose of the pre-testing assessment is to allow VSTLs to 
develop a detailed vulnerability and threat analysis plan that will be used to guide future 
testing by prioritizing tasks to test in a resource efficient manner. 
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4.5.7.1 Pre-Testing Assessment Process. The VSTL or subcontractor must coordinate the 
penetration testing process. The primary goal of the pre-testing assessment is to 
prioritize threats and minimize level of effort throughout the penetration testing 
process. 


The manufacturer must submit relevant system hardware, software, and 
technical documentation to the VSTL as well as notification to the Program 
Director of their intention to have the VSTL perform penetration testing as 
outlined in this manual. 


The VSTL develops a vulnerability and threat analysis document based on a 
standard/methodology (e.g., OWASP, NIST, etc.) containing detailed 
vulnerability and threat information on potential ways to subvert the voting 
system’s security. This must be submitted to the EAC for approval. 


The Program Director must approve or reject the vulnerability and threat 
analysis. 


Upon approval, the VSTL will move into Phase II testing. 


Penetration Testing: The purpose of this phase is to conduct penetration testing using the 
vulnerability and threat analysis developed and approved during Phase I. Voting systems 
must be tested in an environment simulating real-world usage, according to the 


manufacturer’s documentation, and include physical security seals, system hardening, 
and other procedures documented by the manufacturer 


4.5.8.1 Penetration Testing Process: The VSTL must conduct penetration testing and 
submit the report to EAC for approval. 


The VSTL must conduct penetration testing guided by the vulnerability and 
threat analysis. 


The VSTL must submit the security audit report to the manufacturer and the 
Program Director. The report must contain vulnerability information prioritized 
by likelihood and impact, supported by other relevant comments and 
information. 


The Program Director must approve or reject the report based in part on the 
VSTL’s engineering judgement. The manufacturer must submit an attestation 
that all critical vulnerabilities have been addressed that must be submitted with 
the final certification testing report and made available on www.eac.gov. 


4.6. Test Readiness Review. The Test Readiness Review (TRR) is the mechanism used by the EAC to 
ensure that test and evaluation resources are not committed to a voting system that is not ready 
for testing by a VSTL. The TRR determines if the submitted voting system and documentation are 


26 


EAC Voting System Testing and Certification Program Manual, Version 3.0 


4.7. 


ready to enter certification testing. The TRR must be completed by the VSTL and the subsequent 
test readiness acknowledgement must be received by the EAC prior to the initiation of any 
certification testing. To assess the readiness of a voting system for certification testing, the VSTL 


must review: 


System Technical Data Package: The TDP must be reviewed to ensure all elements required 
by the VVSG are present. 


System Components: The VSTL must review the submitted voting system to ensure all 
components required to configure the voting system as defined in the system TDP are 
delivered to the VSTL and appear to be operational and in good working order. System 
Component information must match the manufacturer’s application submitted to the EAC. 
All components submitted for testing must be equivalent to the final production model of 
the voting system in fit, form and function. Any component not available at the time of this 
review must be delivered to the VSTL by the manufacturer within 30 days of the initial TRR 
or testing of the system must be halted and the EAC notified that the system is not ready for 
testing. 


Preliminary Source Code Review: The VSTL must conduct a preliminary review of no less 
than 1% of the total lines of code of every software package or product submitted prior to, 
or during, testing in order to ensure that the code is mature and does not contain any 
systematic non- conformities. 


Mark Reading: The system must be able to read a fully filled mark if it is an optical scan 
system. 


Summary of COTS components. This summary should outline which components of the 
voting system are COTS products and must be updated with each test campaign. 


Test Readiness Notification. Upon completion of the TRR, the VSTL must submit a 
statement to the EAC confirming that the voting system completed the TRR and the VSTL 
determined that the system is ready for certification testing to the applicable VVSG. 


Test Readiness Acknowledgement. Upon receipt of the test readiness notification from the 
VSTL, the EAC must issue a written acknowledgement within three business days of 
receipt stating that the VSTL and manufacturer may commence certification testing. 
Systems not passing the TRR must be remanded to the manufacturer for additional work 
as noted in the test readiness notification. 


Test Plan. The manufacturer must authorize its designated VSTL to submit a test plan directly to 
the EAC. The test plan must document the strategy and plan for testing each section of the 
applicable version of the VVSG and is to be used as a key tool to manage the test campaign and to 
verify that a voting system or component meets all of the VVSG and Program requirements. The 
test plan must be written with completeness and clarity that allows all stakeholders to understand 
the testing that will be conducted and to assess each section of the VVSG. The objective is to 
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address each section of the VVSG in detail, and to clearly and succinctly describe the strategy 
and/or approach for testing each section. 


4.7.1. 


Development. A VSTL must develop test plans that use appropriate test protocols, 
standards, or test suites developed by the VSTL, and must use all applicable protocols, 
standards, or test assertions issued by the EAC. Care should be taken to clearly 
communicate the scope and requirements of testing, the test strategies, and the resource 
needs. This information identifies the purpose and boundaries of the test campaign: what 
will be tested and how it will be tested. 


Because future events in any test campaign cannot be 100% predicted and controlled, the 
initial submission of the test plan is viewed as a baseline that enables periodic updates as 
events cause the plan to change. The VSTL is expected to update specific sections of the 
plan and resubmit as necessary to enable all stakeholders to understand and use the test 
plan. As the voting system changes via change orders, component changes, or COTS 
products change, the test plan must be updated since these changes may significantly 
impact the testing. These test plan changes might also alter the original schedule and may 
require an updated schedule be submitted with the revised test plan. The following are 
examples of instances that would likely require updating the test plan: 

e Changes to the manufacturer’s application for testing. 


e Engineering changes that alter the scope or function of the voting system. 


e Information discovered during testing that changed the strategy on how best to 
test the voting system. 


For the test plan to be an effective, living document it needs to be clear and complete so 
stakeholders can review the plan and understand what needs to be done to complete the 
project. In order to accomplish these goals, the following general topics must be included 
in the test plan: 

e Acomprehensive scope of evaluation that each requirement or set of requirements 
is going to be evaluated for compliance, and that all features, interfaces, and 
characteristics of the individual devices and the system are evaluated to applicable 
requirements. 


e The names and titles of VSTL personnel who will be responsible for each aspect of 
the test campaign. 


e A detailed project schedule including the critical path for project completion. 


e The test methods that will be used to validate compliance to the VVSG. 


4.7.2. Required Testing. Test plans must be developed to ensure a voting system is functional 


and meets all of the VVSG. A test plan must ensure the test results, and other factual 
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evidence of the testing, are clearly documented. System testing must meet all of the VVSG. 


4.7.2.1. New Voting System. A new system is subject to full testing of all hardware and 
software. 


4.7.2.2. Modified Voting System. A modified system must be tested in a manner necessary to 
ensure all changes meet the VVSG and that the modified system will function 
properly and reliably. Any modified system is subject to testing of the 
modifications (delta testing) and those systems or subsystems altered or impacted 
by the modification (regression testing). The system is also subject to system 
integration testing to ensure overall functionality. 


4.7.2.3. Modification Test Plans. Test plans submitted for modified systems must be brief 
and structured to minimize test plan development and review. The test plan must 
concisely document the strategy and plan for testing the sections of the VVSG 
applicable to the modification(s) including clearly communicating the scope of 
testing, test strategies, and the resources needed. Modification test plans must 
include: 

e Acomprehensive scope of evaluation that each requirement or set of 
requirements is going to be evaluated for compliance, and that all features, 
interfaces, and characteristics of the individual devices and the system are 
evaluated to applicable requirements. 


e The names and titles of VSTL personnel who will be responsible for each aspect 
of the test campaign. 


e A detailed project schedule including the critical path for project completion. 
e The test methods that will be used to validate compliance to the VVSG. 
e Acomplete definition of the baseline certified system. 


e A detailed description of all modifications to the certified system and why the 
modification was implemented. 


e A ccitation of the VVSG version to which the original system was certified. 

e Acitation of the VVSG version to which the modified system is to be tested. 

e A detailed description of the specific components, including versions. 

e An initial assessment of the impact the changes have on the current system and 


any previous certification. 
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4.7.3. 


4.7.4. 


4.7.2.4. 


4.7.2.5. 


e An initial assessment of the impact the changes have on TDP documents. 
e A table indicating how each of the existing NOCs/RFIs will be addressed. 


e A description of what will be tested (regression) to establish assurance that the 
change(s) have no adverse impact on the compliance, integrity, or the 
performance of the equipment. 


e A description of what will be tested (regression) to establish assurance that the 
change(s) create no inconsistencies with the TDP and are correctly documented 
and reflected in the TDP. 


EAC Identified Systems. Previously certified systems identified for retesting by the 
EAC must be tested as directed by the Program Director. 


Modular Testing. If the system has been previously certified to a VVSG version 
deemed acceptable by the EAC, it may retain that level of certification with only 
the modification being tested to the current VVSG version(s). 


Format. VSTLs must issue test plans consistent with the format outlined in Appendix C of 
this document and any applicable EAC guidance. All submitted documents must pass 
accessibility checks prior to acceptance by the EAC. 


EAC Approval. All test plans are subject to EAC approval. A test report will not be accepted 
for technical review unless the test plan on which it is based has been approved by the 
Program Director. 


4.7.4.1. 


4.7 4.2. 


Review. All test plans must be reviewed for adequacy by Program staff. The 
Program Director must determine whether the test plan is acceptable or 
unacceptable. Unacceptable plans must be returned to the VSTL for further action. 
Acceptable plans must be approved by the Program Director and appropriate 
notifications made. Although manufacturers may direct VSTLs to begin testing 
before approval of a test plan, the manufacturer bears the full risk that the test plan 
(and thus any tests performed) may be deemed unacceptable. 


Rejected Plans. If a test plan is rejected, the Program Director must return the 
submission to the manufacturer’s identified VSTL for additional action. A written 
notice of rejection must be sent to the VSTL and manufacturer and must include a 
description of the deficiencies identified and steps required to remedy the test 
plan. Rejected test plans may be resubmitted for review after remedial action is 
taken. 


4.8. Trusted Build. A software build is the process whereby source code is converted to machine- 
readable binary instructions (executable code) for the computer. A trusted build is a build 
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performed with adequate security measures implemented to give confidence that the executable 
code is a verifiable and faithful representation of the source code. The primary function of a 
trusted build is to create a chain of evidence that allows stakeholders to have an approved model 
to use for verification of a voting system. Specifically, the build must: 

e Demonstrate that the software was built as described in the TDP. 


e Show that the tested and approved source code was used to build the executable code used on 
the system. 


e Demonstrate that no elements other than those included in the TDP were introduced in the 
software build. The manufacturer or source from which each COTS product was procured 
must be included in the TDP. 


e Document the configuration of the system certified. 


e Demonstrate that all COTS products are unmodified. 


4.8.1 Trusted Build Procedure. A trusted build is a three-step process: (1) the build environment 
is constructed, (2) the executable code and installation disks are created, (3) the VSTL 
verifies that the trusted build was created and functions properly, and (4) a copy of the 
trusted build must be submitted to the EAC. The process may be simplified for a 
modification to a previously certified system. Before creating the trusted build, the VSTL 
must complete the source code review of the software delivered from the manufacturer 
for compliance with the VVSG and must produce and record cryptographic hashes of all 
source code modules. Hashes must use a current FIPS 140-2 level 1 or higher validated 
cryptographic module. After the trusted build is completed, there is no other “final” build. 


4.8.1.1. Constructing the Build Environment. The VSTL must construct the build in an 
environment controlled by the VSTL but that allows manufacturer observation, as 
follows: 
e The device that holds the build environment must be completely erased, in 
accordance with Department of Defense or NIST approved methods. The 
VSTL must ensure a complete erasure of the device. 


e The VSTL must construct the build environment. 


e After construction of the build environment, the VSTL must produce and 
record a file signature of the build environment. 


e Aclone of the build environment computer’s main storage media must be 
created. File signatures must be created by the VSTL for verification 
purposes. 


4.8.1.2. Creating the Executable Code and Installation Disks. After successful source code 


review the VSTL must: 
e Check the file signatures of the source code modules and build environment 
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to ensure they are unchanged from their original form. 


e Load the source code onto the build environment and produce and record 
the file signature of the resulting combination. 


e Produce the executable code and produce and record file signatures of the 
executable code. A clone of the computer’s main storage on which the 
executable code was created must be created, with the file signatures verified 
by the VSTL. 


e The VSTL must create installation disk(s) from the executable code and 
produce and record file signatures of the installation disk(s). 


4.8.1.3. Verification of the Created Media. Upon completion of all the tasks outlined above, 
the VSTL must perform the following tasks: 
e Install the executable code onto the system submitted for testing and 
certification before the completion of system testing. 


e Produce and record file signatures of each voting system file resident on each 
device. 


e Verify that all media to be included in the Trusted Build and submitted to the 
EAC functions properly. 


4.8.1.4. Trusted Build for Modifications. The process of building new executable code when a 
previously certified system has been modified can be somewhat simplified, if the 
build environment of the modification’s original certification can be obtained. 

e The build environment used in the original certification is removed from 
storage and its file signature verified. 


e After source code review, the modified files are placed onto the verified build 
environment and new executable files are produced. 


e If the original build environment is unavailable or its file signatures cannot 
be verified against those recorded from the original certification, then the full 
process of creating the build environment must be performed. Further source 
code review may be required to validate that files are unmodified from the 
originally certified versions. 


4.9. Testing. During testing, VSTLs must report any changes to a voting system or an approved test 
plan, and all test failures or anomalies directly to the EAC. 


4.9.1 Changes. Any changes to a voting system, initiated as a result of the testing process, 
requires submission of an updated implementation statement, functional diagram, and 
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4.9.2 


4.9.3 


system overview document and, potentially, an updated test plan. Test plans must be 
updated whenever a change to a voting system requires deviation from the test plan 
originally approved by the EAC. Changes requiring alteration or deviation from the 
originally approved test plan must be submitted to the EAC for approval before the 
completion of testing. 


Test Anomalies or Failures. The VSTLs must ensure all anomalies or failures are addressed 
and resolved before testing is completed. All test failures and anomalies, as well as the 
actions taken to resolve such failures and anomalies must be documented by the VSTL in 
an appendix to the test report. These matters must be reported in a format that identifies 
the failure or anomaly, the applicable VVSG, and a description of how the failure or 
anomaly was resolved. The manufacturer must conduct a root cause analysis for each 
failure and anomaly following the format provided by the EAC. This analysis must be 
provided to the VSTL and the EAC prior to the beginning the test report phase of the test 


campaign. 


Deficiency Criteria. Voting systems must be returned to a manufacturer for further 
readiness review and/or QA testing if any of the following conditions occur: 
e Testing continues for more than 18 months without a test report being issued. 


e Inactivity that exceeds 90 calendar days, as a result of a manufacturer’s decision or 
lack of action, which hinders the progression of the test campaign. 


e A significant deficiency caused by one or more major architectural flaws, requiring 
significant redesign to adequately eliminate the deficiency. Two factors will be 
considered in determining the significance of a deficiency: 

o the consequences of the deficiency with respect to proper voting system 
function, and 


othe extent of redesign necessary to fully remedy the deficiency. A full remedy 
goes beyond a superficial response to the symptoms, which leaves an 
underlying architectural flaw unaddressed, creating the potential for other 
manifestations of the deficiency to reoccur. A full remedy addresses the root 
cause of the deficiency and removes the cause of the problem that created the 
deficiency. 


The following categories of deficiencies are used to determine when to remove a voting 
system from the Program: 


e Major: A major deficiency adversely effects the accuracy, reliability, usability, 
security, or accessibility of a voting system. Examples of major deficiencies are 
misreported results or consistent hardware failures. 

o Voting systems must be returned to a manufacturer if one or more major 
deficiencies are discovered during a test campaign for root cause analysis, or if 


33 


EAC Voting System Testing and Certification Program Manual, Version 3.0 
the same deficiency occurs after root cause analysis and remediation. 


e Minor: A minor deficiency does not adversely affect the accuracy, reliability, 
usability, security, or accessibility of a voting system. Examples of a minor 
deficiency include typographical errors, documentation deficiencies, or source 
code coding convention deficiencies (e.g., coding or comment convention 
deficiency). 

o Voting systems must be returned to a manufacturer if the VSTL or Program 
Director determine that multiple minor deficiencies are causing significant 
delays in the test campaign. 


Two or more instances of a deficiency are considered to be the same unique deficiency if: 
(1) the outputs of each instance are identical; and (2) the same, specific remedy cures all 
instances of the deficiency. If a second deficiency is discovered that results in the same 
output as the first deficiency, but requires a different remedy to cure it, it is considered a 
second unique deficiency. Two similar deficiencies that require a modification within 
different areas of the source code to remedy the deficiency are to be considered separate 
and unique deficiencies. 


The VSTL must make the initial assignment for each deficiency into one of the categories 
described above. The VSTL must ensure that each deficiency is described and documented 
accurately in order to ensure the correct categorization of each deficiency. The EAC must 
review the categorizations of the VSTL and make the final determinations as to the 
categorization of deficiencies. All deficiencies must be corrected before a voting system is 
approved for certification. 


When a voting system is returned to a manufacturer for reasons described in this section, 
the manufacturer must review its quality process and perform an analysis of how the 
identified deficiencies passed through its quality system. The manufacturer must perform 
a quality review to determine the extent of the QA issues and document the appropriate 
measures that are implemented to ensure that similar deficiencies do not occur again. 
Specifically, the manufacturer must detail the specific changes made to its quality process 
and then the voting system to remedy the failures in the design and the quality process. 
All such documentation must be submitted to the EAC for review. The manufacturer may 
re-apply for certification only after the EAC makes the determination that the QA 
analysis/review and the measures put in place, in both the quality system and the voting 
system design, are deemed adequate. 


4.10 Test Report. VSTLs must submit test reports to the EAC after the voting system has been tested 
and all tests identified in the test plan have been successfully performed. 


4.10.1 Submission. The test reports must be submitted to the Program Director. The Program 
Director must review the submission for completeness. Any reports showing incomplete 
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4.10.2 


4.10.3 


4.10.4 


or unsuccessful testing must be returned to the VSTL for action and resubmission. Notice 
of this action must be provided to the manufacturer. Test reports must be submitted in 
PDF or other electronic formats as prescribed by the Program Director. Test reports 
submitted to the EAC must pass all accessibility checks before being accepted. 


Format. VSTLs must submit reports consistent with the requirements in the VVSG and in 
the format outlined in Appendix D of this manual. All information provided in the test 
report must be provided in a clear, complete and unambiguous manner, so that a wide 
range of readers and users of the document can understand the evaluation supporting a 
system’s certification. In addition, the test report must show that all of the VVSG have 
been tested and successfully completed by the voting system as a prerequisite to 
certification. Documentation of test cases executed during the testing must be attached to 
the test report. 


Technical Review. A technical review of the test plan, test cases, test report, and any other 
technical documentation must be conducted by the EAC. The EAC may require the 
submission of additional information from the VSTL or manufacturer if deemed necessary 
to complete the review. Program staff must submit findings to the Program Director, 
providing an assessment of the completeness and adequacy of the VSTL’s testing as 
documented in the test report. 


Program Director’s Recommendation. The Program Director must review the report and 
take one of the following actions: 
e Provide a written approval of the test report to the manufacturer and VSTL; or 


e Refer the report back to the VSTL for additional, specified action and resubmission. 
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5. 


5.1. 


5.2. 


5.3. 


Grant of Certification 


Overview. The grant of certification is the formal process through which the EAC acknowledges 
that a voting system has successfully completed conformance testing to a current version of the 
VVSG. The granting of certification begins with the approval of the test report. The voting system 
will be certified after the manufacturer confirms that the final version of the software that was 
tested has been subject to a trusted build, placed in an EAC-approved repository, and can be 
verified using the manufacturer’s system identification tools. The manufacturer must provide the 
EAC documentation demonstrating compliance with these requirements. 


Pre-certification approval. The Program Director must inform the manufacturer of the steps that 
must be taken to receive a certification including providing the manufacturer with specific 
instructions for confirming and documenting that the final certified version of the software meets 
the requirements for depositing software in an approved repository, and creating and making 
available system verification tools. 


Depositing Software in the EAC Repository. Before final certification is granted, the VSTL must 
deliver the following elements into the EAC repository: 


e Description of items located on the deposit media, including a description of items to be 
deposited. The description must include utilities or third-party applications used to create 
the deposit such as OS utilities or third-party software, and encryption information 
required for passwords and/or crypto-keys or software programs required to access the 
deposited materials. 


e Source code used for the trusted build and its file signatures. 


e The final TDP of the voting system submitted for testing including all product bills of 
material, assembly drawings and schematics for the version being certified. 


e A detailed description of the Build Environment including setup and configuration, 
configuration settings for all compilers and third-party components and whether the build 
process requires source code to be loaded to a specific location. 

e Build control files and/or scripts that control the build process. 

e Executable code produced by the trusted build and the file signatures of all files produced. 

e Installation device(s) and the file signatures of the installation devices. 

e Build instructions describing how to compile the escrow deposit and build executable 
code. (Include hardware descriptions and OS system requirements, particularly any 


custom settings required. Voting systems are often needed to function for well over a 
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decade. This is necessary for long term maintainability of the voting system. 


e Names of all required applications necessary to compile and build executable code, 
objects, dynamic libraries, etc. 


e Aniinstallation copy of the certified version of the EMS for the voting system. 


e The computer on which the trusted build was created must have applicable storage media 
that contained the trusted build, removed and submitted to the EAC. The EAC may 
receive Virtual Machines (appliances) from the VSTL for the trusted build. Trusted builds 
must include this virtual machine and any related items, so that the system can be 
constructed or restored on another machine. Trusted builds must be in the Open 
Virtualization Format 


e The manufacturer must provide system identification tools through which a fielded 
voting system may be identified and demonstrated to be unmodified from the system that 
was certified. The purpose of this requirement is to make such tools available to federal, 
state, and local officials to identify and verify that the equipment used in elections is 
unmodified from its certified version. The EAC may review the system identification tools 
developed by the manufacturer to ensure compliance. VSTLs must test system 
identification tools during the test campaign to make sure they function properly and as 
intended. System identification tools include the following examples: 

e Hardware is commonly identified by a model number and revision number on the 
unit, its printed wiring boards (PWBs), and major subunits. Typically, hardware is 
verified as unmodified by providing detailed photographs of the PWBs and internal 
construction of the unit. These images may be used to compare to the unit being 
verified. 


e Software operating on a host computer will typically be verified by providing self- 
booting removable media or similar device that verifies the file signatures of the 
voting system application files and the signatures of all nonvolatile files the 
application files access during their operation. Note that the creation of such a CD 
requires having a file map of all nonvolatile files used by the voting system. Such a 
tool must be provided for verification using the file signatures of the original 
executable files provided for testing. If during the certification process modifications 
are made and new executable files created, then the tool must be updated to reflect the 
file signatures of the final files to be distributed for use. For software operating on 
devices in which a self-booting CD or similar device cannot be used, a procedure must 
be provided to allow identification and verification of the software that is being used 
on the device. 


5.4. Documentation. Manufacturers must provide documentation to the Program Director verifying 
the trusted build has been performed, software has been deposited in an approved repository, 


and system identification tools are available to election officials. The manufacturer must submit a 
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5.5. 


5.6. 


5.7. 


letter, signed by both its management representative and a VSTL official, stating (under penalty 
of law) that it has (1) performed a trusted build consistent with the requirements of this manual, 
(2) deposited software consistent with the requirements of this manual, and (3) created and made 
available system identification tools consistent with the requirements of this manual. This letter 
must also include (as attachments) a copy and description of the system identification tool. 


Final Decision. Upon receipt of documentation demonstrating the successful completion of the 
requirements above and recommendation of the Program Director, the Decision Authority must 
issue a final decision granting certification and providing the manufacturer with a certification 
number and Certificate of Conformance. 


Certification Document. The Certificate of Conformance, which includes the scope of 
certification, serves as the manufacturer’s evidence that a particular system is certified to a 
particular version of the VVSG and only applies only to the specific voting system 
configuration(s) identified, submitted, and evaluated under the Program. Any modification to the 
system not authorized by the EAC voids the certificate. The certificate must include the voting 
system name, the specific model or version of the product tested, the name of the VSTL that 
conducted the testing, identification of the VVSG version to which the system was tested, the 
EAC certification number for the product, and the signature of the Decision Authority. The 
certificate must also identify each of the various configurations of the voting system’s 
components that may be represented as certified. 


Certification Number and Version Control. Each system certified by the EAC receives a 
certification number unique to the system that will remain with the system until such time as the 
system is decertified, sufficiently modified, or tested and certified to newer standards. When a 
previously certified system is issued a new certification number, the manufacturer is required to 
change the system’s name or version number. 


5.7.1. New Voting Systems and Those Not Previously Certified by the EAC. All systems 


receiving their first certification from the EAC will receive a new certification number. 
Manufacturers must provide the EAC with the voting system’s name and version number 
during the application process (Chapter 4). Systems previously certified by another body 
may retain the previous system name and version number unless the system was 
modified before its submission to the EAC. Such modified systems must be submitted 
with a new naming convention (i.e., anew version number). 


5.7.2. Modifications. Voting systems previously certified by the EAC and submitted for 
certification of a modification will receive a new voting system certification number. Such 
modified systems must be submitted with a new naming convention. 


5.7.3. Certification Upgrade. Voting systems previously certified and submitted (without 
modification) for testing to a new version of the VVSG will receive a new certification 
number. In such cases, however, the manufacturer is not required to change the system 
name or version number. 
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5.8. 


5.9. 


5.7.4. Minor Change. Voting systems previously certified and implementing an approved minor 
change order (per Chapter 3) will not be issued a new certification number and are not 
required to implement a new naming convention. 


Publication of EAC Certification. The EAC must publish and maintain a list of all certified 
voting systems, including copies of all Certificates of Conformance, supporting test reports, and 
voting system and manufacturer information at www.eac.gov. Such information must be posted 
immediately following the manufacturer’s receipt of the Final Decision. Manufacturers with 
certified voting systems are responsible for ensuring that each system it produces is properly 
labeled as certified. 


Representation of EAC Certification. Manufacturers may not represent or imply a voting system 
is EAC-certified unless it has received a Certificate of Conformance for the system. Statements 
regarding EAC certification in brochures, on websites, on displays, and in advertising/sales 
literature must be made solely in reference to specific systems. Any action by a manufacturer to 
suggest EAC endorsement of its product or organization is strictly prohibited and may result ina 
manufacturer’s suspension or other action pursuant to Federal civil and criminal law. 
Manufacturers must provide a copy of the Certificate and Scope of Certification document (found 
at www.eac.gov) to any jurisdiction purchasing an EAC-certified system. 


5.10. Mark of Certification Requirements. Manufacturers must post a mark of certification on all 


EAC-certified voting systems produced. This mark must be securely attached to the system 
before sale, lease, or release to third parties. A mark of certification must be made using an EAC- 
mandated template. These templates identify the version of the VVSG to which the system is 
certified. Use of this template is mandatory and the EAC will provide the mark as a template 

in jpg, .pdf, and .tif formats. Manufacturers who need access to the mark pursuant to labeling an 
EAC-certified voting system should send a formal request, via email or letter, to the Program 
Director. The request must include the specific voting system and version number(s), indication 
of where the mark will be displayed on the voting system, and specification of the format in 
which the mark will be reproduced. 


e The certification of individual components or modifications must be independently 
represented by a mark of certification. In the event a system has components or 
modifications tested to various (later) versions of the VVSG, the system must bear only 
the mark of the VVSG to which the system (as a whole) was tested and certified. 
Ultimately, a voting system must only display the mark of the oldest version of the VVSG 
to which any of its components are certified. 


e The mark must be placed on the outside of a unit of voting equipment in a place readily 
visible to election officials. The mark need not be affixed to each of the voting system’s 
components. The mark must be affixed to either each unit that is used to cast ballots or 
each unit that is used to tabulate ballots. 
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e All labels bearing the mark must be designed and applied to voting equipment so that 
the labels will remain in place and be clear and legible during the customary conditions 
of distribution, storage, voting and routine testing and maintenance. The materials used 
for the label, printing and adhesives must be reasonably expected to last the normal and 
projected lifespan of the voting system. If using an adhesive type label for the mark, the 
label stock material must be such that the label cannot be removed intact and reapplied. 
The label must also be designed to resist the effects of cleaning agents specified by the 
manufacturer. The mark must remain clear and legible after the use of any recommended 
cleaning agents as specified by the manufacturer and adhesive labels, if used, must not 
have become loose or curled at the edges. If a mark has become degraded to the effect 
that it is illegible, it must be replaced with an exact copy. 


e If the EAC determines a voting system is not in compliance with the VVSG, and the 
system has already been sold or otherwise distributed bearing the mark, the EAC must 
provide written notice to the manufacturer. If the manufacturer fails to take corrective 
action within 15 calendar days of receipt of such notice, the EAC has the right to 
announce publicly, and to directly inform jurisdictions that use the system, that the 
voting system may no longer comply with its original certification and may choose to 
initiate decertification actions as outlined in Chapter 7 of this manual, and/or suspension 
of manufacturer registration as outlined in Chapter of this manual. Corrective action 
may include modification of the voting system to bring it into compliance with the 
VVSG, or removal of the mark from the product. 


5.11. Information to Election Officials Purchasing Voting Systems. The user’s manual or instruction 
manual for a certified voting system must warn jurisdictions that any changes or modifications to 
the system not tested and certified by the EAC voids the EAC certification of the voting system. In 
cases in which the manual is only provided in an electronic format, the information required in 
this section must be included in the same format. 
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6. Denial of Certification 


6.1. Overview. When the Decision Authority issues an initial decision denying certification, the 
manufacturer has certain rights and responsibilities. The manufacturer may request an 
opportunity to cure the defects identified by the Decision Authority. In addition, the 
manufacturer may request that the Decision Authority reconsider the initial decision after the 
manufacturer has had the opportunity to review the record and submit supporting written 
materials, data, and the rationale for its position. Finally, in the event reconsideration is denied, 
the manufacturer may appeal the decision to the Appeal Authority as described in section 6.11. 


6.2. Applicability of This Chapter. This chapter applies when the Decision Authority makes an initial 
decision to deny voting system certification, including a modification, based on the materials and 
recommendation provided by the Program Director. 


6.3. Form of Decisions. All agency determinations must be made in writing. 


6.4. Effect of Denial of Certification. Upon receipt of the agency’s decision denying certification— or 
in the event of an appeal, subject to the decision on appeal—the manufacturer’s application for 
certification will be denied. Such systems will not be reviewed again by the EAC for certification 
unless the manufacturer alters the system, retests it, and submits a new application for system 
certification. 


6.5. Record Retention. The Program Director must maintain all documents related to a denial of 
certification. Such documents constitute the procedural and substantive record of the decision- 
making process. Records may include the following: 

e The Program Director’s report and recommendation to the Decision Authority. 


e The Decision Authority’s final decision. 


e Any materials gathered by the Decision Authority that serve as a basis for a certification 
determination. 


e All relevant and allowable materials submitted by the manufacturer upon request for 
reconsideration or appeal. 


6.6. Initial Decision. The Decision Authority must make and issue a written decision for voting 
systems submitted for certification. When such decisions result in a denial of certification, the 
decision is considered preliminary and referred to as an initial decision. Initial decisions must be 
in writing and contain the Decision Authority’s basis and explanation for the decision and notice 
of the manufacturer’s rights in the denial of certification process. 


6.6.1 Basis and Explanation. The initial decision of the Decision Authority must clearly state the 
agency’s decision on certification, state the actions the manufacturer must take to cure all 
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defects in the voting system and obtain a certification, and explain the basis for the decision, 
including: 
e the relevant facts, 


e the applicable VVSG, 
e the relevant analysis in the Program Director’s recommendation, and 
e the reasoning behind the decision. 


6.6.2 Manufacturer’s Rights. The written initial decision must also inform the manufacturer of its 
procedural rights under the certification program, including the following: 
e The manufacturer will be informed of its right to request a timely reconsideration 
(see Section 6.9). Such a request must be made within 10 calendar days of the 
manufacturer’s receipt of the initial decision. 


e The right to request a copy or have access to the information that served as the basis 
of the initial decision. 


e The right to cure system defects prior to the final decision (see Section 6.8). A 
manufacturer may request an opportunity to cure. This request must be made within 
10 calendar days of its receipt of the initial decision. 


6.7. No Manufacturer Action on Initial Decision. If a manufacturer takes no action (by either failing 
to request an opportunity to cure or request reconsideration) within 10 calendar days of its receipt 
of the initial decision, the initial decision will become the agency’s final decision on certification. 
In such cases, the manufacturer is determined to have foregone its right to reconsideration, cure, 
and appeal. The certification application will be denied. 


6.8. Opportunity to Cure. Within 10 calendar days of receiving the EAC’s final decision on 
certification, a manufacturer may request an opportunity to cure the defects identified in the 
EAC’s initial decision. If the request is approved, a compliance plan must be created, approved, 
and followed. If this cure process is successfully completed, a voting system denied certification 
in an initial decision may receive a certification without resubmission. 


6.8.1. EAC Action on Request. The Decision Authority must review the request and notify the 
manufacturer in writing if the request to cure is approved or denied. The Decision 
Authority will deny a request to cure only if the proposed plan to cure is inadequate or 
does not present a viable way to remedy the identified defects. If the manufacturer’s 
request to cure is denied, it will have 10 calendar days from the date it received such 
notice to request reconsideration of the initial decision. 


6.8.2. Manufacturer’s Compliance Plan. Upon approval of the manufacturer’s request for an 
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6.9. 


6.8.3. 


6.8.4. 


6.8.5. 


opportunity to cure, the manufacturer must submit a compliance plan to the Decision 
Authority for approval. This compliance plan must set forth steps to be taken to cure all 
identified defects. It must include the proposed changes to the system, updated technical 
information (as required by Section 4.2), and a new test plan created and submitted 
directly to the EAC by the VSTL. The plan must provide for the testing of the amended 
system and submission of a test report by the VSTL to the EAC for approval. It must 
provide an estimated date for receipt of this test report and include a schedule of periodic 
VSTL progress reports to the Program Director. 


EAC Action on the Compliance Plan. The Decision Authority must review and approve 
the compliance plan. The Decision Authority may require the manufacturer to provide 
additional information and modify the plan as required. If the manufacturer is unable or 
unwilling to provide a compliance plan acceptable to the Decision Authority, the Decision 
Authority will provide written notice terminating the cure process. The manufacturer will 
have 10 calendar days from the date it receives such notice to request reconsideration of 
the initial decision. 


Compliance Plan Test Report. The VSTL must submit the test report created pursuant to 
its EAC-approved compliance plan. The EAC must review the test report, along with the 
original test report and other materials originally provided, consistent with the procedures 
laid out in Chapter 4. 


EAC Decision on the System. After receipt of the test plan, the Decision Authority must 
issue a decision on a voting system amended pursuant to an approved compliance plan in 
the same manner and with the same process and rights as a final decision on certification. 


Requests for Reconsideration. Manufacturers may request reconsideration of an initial decision. 


6.9.1; 


6.9.2. 


6.9.5. 


Submission of Request. A request for reconsideration must be made_within 10 calendar 
days of the manufacturer’s receipt of an initial decision. The request must be made and 
sent to the Decision Authority. 


Acknowledgment of Request. The Decision Authority must acknowledge receipt of the 
manufacturer’s request for reconsideration. This acknowledgment must either enclose all 
information that served as the basis for the initial decision or provide a date by which the 
record will be forwarded to the manufacturer. 


Manufacturer’s Submission. Within 30 calendar days of receipt of the record, a 
manufacturer may submit written materials in support of its position, including the 
following: 


¢ awritten argument responding to the conclusions in the initial decision, or 


e documentary evidence relevant to the issues raised in the initial decision. 
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6.9.4. Decision Authority’s Review of Request. The Decision Authority must review and 
consider all relevant submissions of the manufacturer. In making a decision on 
reconsideration, the Decision Authority must also consider all documents that make up 
the record and any other documentary information he or she determines relevant. 


6.10. Agency Final Decision. The Decision Authority must issue a written final decision after review of 
the manufacturer’s request for reconsideration. This decision will be the decision of the agency 
and must include: 

e The agency’s determination on the application for certification. 


e The issues raised by the manufacturer in its request for reconsideration. 
e All facts, evidence, and EAC voting system standards that serve as the basis for the decision. 
e The reasoning behind the determination. 


e Any additional documentary information identified and provided as an attachment that 
serves as a basis for the decision and was not part of the manufacturer’s submission or the 
prior record. 


e The manufacturer notice of its right to appeal. 


6.11. Appeal of Agency Final Decision. Within 20 calendar days of receipt of a final decision denying 
certification, a manufacturer may issue a written request for appeal. The appeal must be 
submitted to the Decision Authority and addressed to the Chair of the EAC. Any submission after 
20-day period will not be considered. The request must clearly sate the specific conclusions of the 
final decision it wishes to appeal. The request cannot reference or include any factual material 
that is not in the record. 


6.11.1. Consideration of Appeal. All timely appeals will be considered by the Appeal Authority. 
e The Appeal Authority consists of two or more EAC Commissioners or other 
individuals appointed by the Commissioners who have not previously served as the 
initial or reconsideration authority on the matter. If the Appeal Authority does not 
reach consensus, the appeal will be denied. 


e All decisions on appeal must be based on the record. 


e The determination of the Decision Authority will be given deference by the Appeal 
Authority. Although it is unlikely that the certification process will produce factual 
disputes, in such cases, the burden of proof belongs to the manufacturer to 
demonstrate by clear and convincing evidence that its voting system met all 
substantive and procedural requirements for certification. The determination of the 


44 


EAC Voting System Testing and Certification Program Manual, Version 3.0 


Decision Authority may be overturned only when the Appeal Authority finds the 
ultimate facts in controversy highly probable. 


6.12. Decision on Appeal. The Appeal Authority must make a written, final decision on appeal and 
provide it to the manufacturer. The Appeal Authority must make one of two determinations. 


6.12.1. Grant of Appeal. The appeal will be granted if the Appeal Authority determines that the 
conclusions of the Decision Authority should be overturned in full. In such cases, 
certification will be approved subject to the requirements of Chapter 5. 


6.12.2. Denial of Appeal. The appeal will be denied if the Appeal Authority determines that the 
Decision Authority’s determination should be upheld. In such cases, the application for 
appeal is denied. 


The following are required to be contained in the Decision on Appeal: 
e The final determination of the agency. 


e The matters raised by the manufacturer on appeal. 
e The reasoning behind the decisions. 


e Statement that the decision on appeal is final and that no additional appeal will be 
granted. 
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7.1, 


7.2. 


Decertification 


Decertification Policy. Decertification is the process by which the EAC revokes a certification 
previously granted to a voting system. It is an important part of the program because it serves to 
ensure the VVSG and requirements of the Program are followed and that certified voting systems 
maintain the same level of quality as those presented for testing. Its use will significantly affect 
manufacturers, state and local governments, the public, and the administration of elections. 


Decertification is initiated when the EAC receives information from a source that has used, tested, 
or observed that a voting system may not be in compliance with the VVSG or the procedural 
requirements of this manual. Upon receipt of this information, the Program Director must initiate 
an informal inquiry to determine if the reported information is accurate. If the information is 
accurate and suggests the system is non-compliant, a formal investigation will be initiated. If the 
results of the formal investigation demonstrate noncompliance, the manufacturer will be 
provided a notice of noncompliance. Before a final decision on decertification is made, the 
manufacturer will have the opportunity to remedy any defects identified in the voting system and 
present information for consideration by the Decision Authority. A decertification may be 
appealed within 20 business days of receipt. 


Systems will be decertified if: 
e they do not to meet applicable VVSG, 


e they have been modified or changed without following the requirements of this manual, 
or 


e the manufacturer has failed to follow the procedures outlined in this manual and the 
quality, configuration, or compliance of the system is in question. 


Informal Inquiry. An informal inquiry is the first step taken when information is presented to the 
EAC that suggests a voting system may not be in compliance with the VVSG requirements or the 
procedural requirements of this manual. The sole purpose of the informal inquiry is to determine 
whether a formal investigation is warranted. The outcome of an informal inquiry is limited to a 
decision on referral for investigation. 


7.2.1. Procedure. Informal inquiries do not follow a formal process. 


7.2.1.1. Initiation. Informal inquiries are initiated at the discretion of the Program Director. 
They may be initiated any time the Program Director receives attributable, relevant 
information that suggests a certified voting system may require decertification. The 
information must come from a source that has used, tested, or observed the 
reported occurrence. Such information may be a product of the Certification 
Quality Monitoring Program (see Chapter 8). The Program Director must notify 
the manufacturer that an informal inquiry has been initiated. Initiation of an 
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7.3. 


7.2.2. 


7.2.3, 


inquiry must be documented through the creation of a memorandum for the 
record. 


7.2.1.2. Inquiry. The informal inquiry process is limited to inquiries necessary to determine 


whether a Formal Investigation is required. The Program Director must conduct 
such inquiry necessary to determine the accuracy of the information obtained, and 
if the information, if true, would serve as a basis for decertification. The nature and 
extent of the inquiry process will vary depending on the source of the information. 
For example, an informal inquiry initiated as a result of action taken under the 
Certification Quality Monitoring Program will often require the Program Director 
to review the report issued as a result of the quality monitoring action. On the 
other hand, information provided by election officials or by voters who have used 
a voting system may require the Program Director (or assigned EAC staff) to 
perform an in-person inspection or make inquiries of the manufacturer. 


7.2.1.3. Conclusion. An informal inquiry will be concluded after the Program Director 


determines the accuracy of the information that initiated the inquiry and whether 
that information, if true, would warrant decertification. The Program Director may 
make only two conclusions: (1) refer the matter for a formal investigation, or (2) 
close the matter without additional action or referral. 


Closing the Matter without Referral. If the Program Director determines a matter does not 
require a formal investigation, the Program Director must close the inquiry by filing a 
memorandum for the record and notifying the manufacturer. This document must state 
the focus of the inquiry, the findings of the inquiry, and the reasons a formal investigation 
was not warranted. 


Referral. If the Program Director determines a matter requires a formal investigation, the 
Program Director must refer the matter in writing to the Decision Authority. In preparing 
this referral, the Program Director must: 


state the facts that served as the basis for the referral, 


state the findings of the Program Director, 


attach all documented evidence that served as the basis for the conclusion, and 


recommend a formal investigation, specifically stating the system to be investigated 
and the scope and focus of the proposed investigation. 


Formal Investigation. A formal investigation is an official investigation to determine whether a 
voting system warrants decertification. The end result of a formal investigation is an investigation 
report. The purpose of a formal investigation is to gather and document relevant information 


sufficient to make a determination on whether an EAC-certified voting system warrants 
decertification consistent with the policy put forth in Section 7.2. 


47 


EAC Voting System Testing and Certification Program Manual, Version 3.0 
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7.3.2. 


7 Os 


Initiation of Investigation. The Decision Authority must authorize the initiation of a 
formal investigation. 


7.3.1.1. Scope. The Decision Authority must clearly set the scope of the investigation by 
identifying (in writing) the voting system and specific procedural or operational 
non-conformance to be investigated. The non-conformance to be investigated must 
be set forth in the form of numbered allegations. 


7.3.1.2. Investigator. The Program Director (or Decision Authority appointee) is responsible 
for conducting the investigation. The Program Director (or Decision Authority 
appointee) may assign staff or technical experts, as required, to investigate the 
matter. 


Notice of Formal Investigation. Upon initiation of a formal investigation, the EAC must 
notify the manufacturer of the scope of the investigation, which must include: 
e Identification of the voting system and specific procedural or operation non- 
conformance being investigated (scope of investigation). 


e An opportunity for the manufacturer to provide relevant information in writing. 
e Anestimated timeline for the investigation. 


Investigation. Investigations must be conducted impartially, diligently, promptly, and 
confidentially and must utilize appropriate techniques to gather the necessary 
information. 


7.3.3.1. Conflicts of Interest. All individuals assigned to an investigation must be free from 
any financial conflicts of interest. 


7.3.3.2. Diligent Collection of Information. All investigations must be conducted in a 
meticulous and thorough manner. Investigations will gather all relevant 
information and documentation that is available. 


7.3.3.3. Prompt Collection of Information. Determinations that may affect the administration 
of federal elections must be made in an expedited manner. The EAC’s 
determinations on decertification may affect the actions of state and local election 
officials conducting elections and as such, all investigations regarding 
decertification must proceed with a sense of urgency. 


7.3.3.4. Confidential Collection of Information. Consistent with federal law, information 
pertaining to a formal investigation will not be made public until the investigation 
report is complete. The release of incomplete and unsubstantiated information, or 
pre-decisional opinions, that may be contrary or inconsistent with the final 
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determination of the EAC could cause public confusion or negatively affect public 
confidence in active voting systems. Such actions could serve to impermissibly 
affect election administration and voter turnout. All pre-decisional investigative 
materials must be safeguarded. 


7.3.3.5. Methodologies. Investigators must gather information by means consistent with the 
four principles noted above. Investigative tools include (but are not limited to) the 
following: 


Investigators may interview individuals (such as state and local election 
officials, voters, or manufacturer representatives). All interviews must be 
reduced to written form; each interview must be summarized in a 
statement that is reviewed, approved, and signed by the interviewee. 


Field audits. 
Manufacturing site audits. 


Investigators may pose specific, written questions to the manufacturer for 
the purpose of gathering information relevant to the investigation. The 
manufacturer must respond to the queries within timeframe as specified in 
the request. 


Testing may be performed in an attempt to reproduce a condition or failure 
that has been reported. This testing must be conducted at a VSTL as 
designated by the EAC. 


Investigation Report. The investigation report serves to document: (1) all relevant and 
reliable information gathered in the course of the investigation; and (2) the conclusion 
reached by the Decision Authority. 


7.3.4.1. The report is complete and final when certified and signed by the Decision 
Authority. The final report will be publicly available at www.eac.gov. The 
following must be included in the written report: 


The scope of the investigation, identification of the voting system, and 
specific matter investigated. 


Description of the investigative process employed. 


Summary of the relevant and reliable facts and information gathered in the 
course of the investigation. 


All relevant and reliable evidence collected in the course of the 
investigation that documents the facts must be documented and attached. 
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e Analysis of the information gathered. 
e Statement of the findings of the investigation. 


7.3.4.2. Findings. The investigation report must state one of two conclusions: substantiated 
allegation or unsubstantiated allegation. 


7.3.4.3. Substantiated Allegation. An allegation is substantiated if a preponderance of the 
relevant and reliable information gathered requires the voting system in question 
to be decertified. A notice of noncompliance must be issued if an allegation is 
substantiated. 


7.3.4.4. Unsubstantiated Allegation. An allegation is unsubstantiated if the preponderance of 
the relevant and reliable information gathered does not warrant decertification. If 
all allegations are unsubstantiated, the matter will be closed, and a copy of the 
report forwarded to the manufacturer. 


Effect of Informal Inquiry or Formal Investigation on Certification. A voting system’s EAC 
certification is not affected by the initiation or conclusion of an informal inquiry or formal 
investigation. Systems under investigation remain certified until a final decision on decertification 
is issued by the EAC. 


Notice of Noncompliance. The notice of noncompliance is not a decertification of the voting 
system. The purpose of the notice is to notify the manufacturer of the noncompliance and the 
EAC’s intent to decertify the system and inform the manufacturer of its procedural rights so that 
it may be heard prior to decertification. 


The following must be included in a notice of noncompliance: 
e Acopy of the investigation report to the manufacturer. 


e The noncompliance, consistent with the investigation report. 


e Notification to the manufacturer that if the voting system is not made compliant, the voting 
system will be decertified. 


e State the actions the manufacturer must take to bring the voting system into compliance and 
avoid decertification. 


e The manufacturer’s procedural rights under the program, which include the following: 
e the manufacture’s right to present information to the Decision Authority prior to a 


determination of decertification, 


e the investigation report and any other materials that serve as the basis of an agency 
decision on decertification, and 
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e the manufacturer’s right to cure within 15 business days of its receipt of the notice of 
noncompliance. 


Procedure for Decision on Decertification. The Decision Authority must make and issue a 
written decision on decertification after the manufacturer has had a reasonable opportunity to 
cure the noncompliance and submit information for consideration. 


7.6.1. 


Opportunity to Cure. The manufacturer will have an opportunity to cure a nonconformant 
voting system 30 business days prior to decertification. 


7.6.1.1. 


7.6.1.2. 


70:19, 


7.6.1.4. 


7.6.1.5. 


Manufacturer’s Request to Cure. Within 10 business days of receiving the EAC’s 
notice of noncompliance, a manufacturer may request an opportunity to cure all 
defects identified in the notice of noncompliance. The request must be sent to the 
Decision Authority and outline how the manufacturer intends to modify the 
system, update the technical information, have a VSTL create a test plan and test 
the system. 


EAC Action on Request. The Decision Authority must review the request and 
approve it if the defects identified in the notice of noncompliance may reasonably 
be cured before the next federal election. 


Manufacturer’s Compliance Plan. Upon approval of the manufacturer’s request for 
an opportunity to cure, the manufacturer must submit a compliance plan to the 
Decision Authority for approval. This compliance plan must describe the steps to 
be taken (including time frames) to cure all identified defects. The plan must 
describe the proposed changes to the system, provide for modification of the 
system, update the technical information required by Section 4.2, include a test 
plan delivered to the EAC by the VSTL, and provide for the VSTL’s testing of the 
system and submission of the test report to the EAC for approval. The plan must 
include a schedule of periodic progress reports to the Program Director. 


EAC Action on the Compliance Plan. The Decision Authority must review and 
approve the compliance plan. The Decision Authority may require the 
manufacturer to provide additional information and modify the plan as required. 
If the manufacturer is unable or unwilling to provide a compliance plan acceptable 
to the Decision Authority, the Decision Authority must provide written notice 
terminating the “opportunity to cure” process. 


VSTL’s Submission of the Compliance Plan Test Report. The VSTL must submit the test 
report created pursuant to the manufacturer’s EAC-approved compliance plan. 
The EAC must review the test report and any other necessary or relevant 
materials. The report will be reviewed by the EAC in a manner similar to the 
procedures described in Chapter 4 of this manual. 
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7.6.1.6. EAC Decision on the System. After receipt of the VSTL’s test report, the Decision 
Authority must issue a decision within 20 business days. 


7.6.2. Decision on Decertification. The Decision Authority must make and issue an agency 
determination on decertification after the manufacturer has provided all of its written 
materials for consideration or the time allotted for submission has expired. A 
decertification is effective upon the EAC’s publication of the decision. This decision must 
include the following: 

e The agency’s determination on the decertification, specifically addressing the areas 
of noncompliance investigated. 


e The issues raised by the manufacturer in the materials it submitted for consideration. 


e Facts, evidence, procedural requirements, and/or VVSG requirements that served as 
the basis for the decision. 


e The reasoning for the decision. 


e Documentation that served as a basis for the decision and that was not part of the 
manufacturer’s submission or the investigation report. 


e Notification to the manufacturer of its right to appeal. 


Appeal of Decertification. A manufacturer may request an appeal of the decision. The 
manufacturer must submit a request in writing to the Chair of the EAC within 20 calendar days of 
receipt of the decision on decertification. The manufacturer must clearly state the specific 
conclusions of the decision that the manufacturer wishes to appeal including any additional 
written arguments. The initiation of an appeal does not affect the decertified status of a voting 
system. 


7.7.1. Consideration of Appeal. All timely appeals will be considered by the Appeal Authority. 
The Appeal Authority consists of two or more EAC Commissioners or other individual(s) 
designated by the Commissioners who have not previously served as an investigator, 
advisor, or decision maker in the decertification process. All decisions on appeal must be 
on the record. 


The decision of the Decision Authority will be given deference by the Appeal Authority. 
The burden of proof belongs to the manufacturer to demonstrate by clear and convincing 
evidence that its voting system met all substantive and procedural requirements for 
certification. The determination of the Decision Authority will only be overturned if the 
Appeal Authority finds the ultimate facts in controversy highly probable. 


7.7.2. Decision on Appeal. The Appeal Authority must issue a written decision on appeal to the 
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manufacturer that either grants or denies the appeal. If a manufacturer’s appeal is granted 
in whole, the decision of the Decision Authority will be reversed, and the voting system 
will have its certification reinstated. For purposes of this Program, the system will be 
treated as though it was never decertified. If a manufacturer’s appeal is denied in whole or 
in part, the decertification decision of the Decision Authority will be upheld. The voting 
system will remain decertified and no additional appeal will be available. The decision on 
appeal is final and binding and no additional appeal will be granted. The following must 
be included in a decision on appeal: 

e The final determination of the agency. 


e The matters raised by the manufacturer on appeal. 
e The reasoning behind the decision. 
e Statement that the decision on appeal is final. 

7.8. Effect of Decertification. A decertified voting system no longer holds an EAC certification. For 
purposes of this manual and the program, a decertified system will be treated as any other 
uncertified voting system. As such, the effects of decertification are as follows: 

e The manufacturer must not represent the voting system as certified. 
e The voting system must not be labeled with a Mark of Certification. 
e The voting system will be removed from the EAC’s list of certified systems. 
e The EAC must notify state and local election officials of the decertification. 
7.9. Recertification. A decertified system may be resubmitted for certification and will be treated as 


any other system seeking certification. The manufacturer must submit an application for 
certification consistent with the instructions of this manual. 
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8.1. 


8.2. 


8.3. 


8.4. 


Quality Monitoring Program 


Overview. The quality of any product, including a voting system, depends on two specific 
elements: (1) the design of the product or system; and (2) the consistency of the manufacturing 
process. The EAC’s testing and certification process focuses on voting system design by ensuring 
that a representative sample of a system meets the technical specifications of the applicable VVSG 
requirements. The quality of the manufacturing is the responsibility of the manufacturer. 


After a system is certified, the manufacturer assumes primary responsibility for compliance of the 
products produced. This level of compliance is accomplished by the manufacturer’s configuration 
management and quality control processes. The EAC’s Quality Monitoring Program, as outlined 
in this chapter, provides an additional layer of quality control by allowing the EAC to perform 
manufacturing site audits, carry out fielded system reviews, and gather information on voting 
system anomalies from election officials. These additional tools help ensure that voting systems 
continue to meet the VVSG requirements as the systems are manufactured, delivered, and used in 
federal elections. These aspects of the program enable the EAC to independently monitor the 
continued compliance of fielded voting systems. 


Purpose. The purpose of the Quality Monitoring Program is to: 
e ensure systems used by election jurisdictions are identical to those tested and certified by 
the EAC, 
¢ monitor the completeness and adequacy of testing with the desired performance in fielded 
voting systems, and 
e monitor the effectiveness of the VVSG. 


This level of quality control is accomplished primarily by identifying potential quality problems 
in manufacturing, uncertified voting system configurations, and field performance issues with 
certified systems. 


Manufacturer’s Quality Control. The EAC’s Quality Monitoring Program is not a substitute for 
the manufacturer’s own quality control program. As stated in Chapter 2 of this manual, all 
manufacturers must have an acceptable quality control program in place before they may be 
registered. The EAC’s program serves as an independent and complementary process of quality 
control that works in tandem with the manufacturer’s efforts. 


Quality Monitoring Methodology. The EAC utilizes four primary tools for assessing the level of 
effectiveness of the certification process and the compliance of fielded voting systems: 
e manufacturing site audits, 


e fielded system reviews, 


e¢ ameans for receiving anomaly reports from the field, and 
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technical bulletins or product advisories created by the manufacturer. 


8.5. Manufacturing Site Audit. Facilities that produce certified voting systems must be reviewed 
periodically, at the discretion of the EAC, to verify that the system being manufactured, 
shipped, and sold is the same as the certified system. All registered manufacturers must 
cooperate with such site reviews as a condition of program participation. 


8.5.1, 


S52. 


8.5.3. 


8.5.4. 


8.50: 


Notice. The site review may be conducted as either a pre-scheduled or as an impromptu 
visit, at the discretion of the EAC; however, a manufacturer must be given at least 24 
hours’ notice. Scheduling and notice of site reviews must be coordinated with, and 
provided to, the manufacturing facility’s representative and the manufacturer’s 
representative. 


Frequency. All manufacturing facilities are subject to a site review at least once every two 
years during odd years. 


The Review. The production facility and production test records must be made available 
for review. When requested, production schedules must be provided to the EAC. 
Production or production testing may be witnessed by EAC representatives. If equipment 
is not being produced during the inspection, the review may be limited to production 
records. During the inspection, the manufacturer must provide the EAC’s representative 
the manufacturer’s quality manual and other documentation sufficient to enable the 
representative to evaluate the following factors of the facility’s production: 

e Manufacturing quality controls. 


e Final inspection and testing. 

e History of deficiencies or anomalies and corrective actions taken. 

e Equipment calibration and maintenance. 

e Corrective action program. 

e Policies on product labeling and the application of the EAC mark of certification. 


Exit Briefing. EAC representatives must provide the manufacturing facility’s 
representative a verbal exit briefing regarding the preliminary observations of the review. 


Written Report. A written report documenting the review must be drafted by the EAC and 
provided to the manufacturer. The report must detail the findings of the review and 
identify actions that are required to correct any identified deficiencies. 


8.6. Fielded System Review and Testing. Upon invitation, or with the permission of a state or local 
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election authority, the EAC may conduct a review of fielded voting systems. Such reviews will be 
conducted to ensure that a fielded system is comprised of the same configuration as what was 
certified by the EAC and that the proper mark of certification has been applied. This review may 
include the testing of a fielded system, if deemed necessary. Any anomalies found during this 
review must be provided to the appropriate election jurisdiction(s) and the manufacturer. In 
addition, this review will evaluate the correspondence of the actual configuration and use of the 
voting system in the field with the VSTL-tested system. If anomalies occur, these reviews seek to 
determine the direct cause, underlying root cause and appropriate remedial and/or preventative 
actions. 


8.7. Field Anomaly Reporting. The EAC will collect information from election officials with fielded 
EAC-certified voting systems. Information on the actual field performance of a voting system is 
used as a means for assessing the effectiveness of the program and the manufacturing quality and 
version control. The EAC must provide a mechanism for election officials to provide input related 
to voting system anomalies. 


8.7.1. Anomaly Report. Election officials may submit notices of voting system anomalies directly 
to the EAC in PDF format consistent with the requirements below. 


8.7.2. Who May Report? State or local election officials who have experienced voting system 
anomalies in their jurisdiction may file anomaly reports. The individuals reporting must 
identify themselves and have firsthand knowledge of, or official responsibility over, the 
anomaly being reported. Anonymous or hearsay reporting will not be accepted. 


8.7.3. What Is Reported? Election officials may report voting system anomalies. An anomaly is 
defined as an irregular or inconsistent action or response from the voting system, or 
system component, which resulted in the system or component not functioning as 
intended or expected. Anomalies resulting from administrator error or procedural 
deficiencies are not considered anomalies for purposes under this chapter. The report 
must include: 

e The official’s name, title, contact information, and jurisdiction. 


e A description of the voting system that experienced the anomaly. 
e The date and location of the reported occurrence. 
e The type of election. 


e A description of the anomaly witnessed with applicable supporting documentation, if 
available. 


8.7.4. Distribution of Reports. Reports which are deemed to contain credible information must 
be distributed to state and local election jurisdictions with similar systems, to the 
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8.8. 


8.9. 


manufacturer of the voting system, and to the VSTLs. Reports are deemed credible if: 
e the definition of an anomaly is met; 


¢ acomplete report is submitted based on the requirements of Section 8.7.3; 


e information contained within the report was confirmed by others present at the time 
of the anomaly; and 


e was verified by the relevant state’s chief election official. 


Manufacturer Created Technical Bulletins or Product Advisories. Manufacturers are required to 
provide any technical bulletins or product advisories issued on EAC-certified voting systems to 
the EAC at the time they are issued to jurisdictions impacted by the advisory. EAC must receive 
these via email within 24 hours of issuance. 


Use of Quality Monitoring Information. Ultimately, the information the EAC gathers from 
manufacturing site audits, fielded system reviews, and field anomaly reports is used to improve 
the program and ensure the quality of voting systems. The Quality Monitoring Program is not 
designed to be punitive but to be focused on improving the process. Information gathered is used 
to accomplish the following: 


8.9.1. Identify areas for improvement in the EAC’s Testing and Certification Program. 
8.9.2. Improve the manufacturing quality and change control processes. 
8.9.3. Increase voter confidence in voting technology. 


8.9.4. Inform manufacturers, election officials, and the EAC of issues associated with voting 
systems in a real-world environment. 


8.9.5. Share information among jurisdictions that use similar voting systems. 


8.9.6. Resolve problems associated with voting technology or manufacturing by involving 
manufacturers, election officials, and the EAC. 


8.9.7. Strengthen the coordination between certification testing and the desired performance in 
deployed voting systems. 


8.9.8. Adopt a yearly VVSG review process where proposed changes and/or additions are 
considered by the TGDC and determinations are sent to the EAC Executive Director (or a 
person operating in that capacity) to begin the adoption process and that whenever 
possible, review processes (such as Board of Advisor review, Standards Board Review, 
and public comment periods) run concurrently to ensure timely adoption of changes 
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and/or additions. 


8.9.9. Initiate an investigation when information suggests decertification is warranted (see 
Chapter 7). 
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9. 


9.1. 


9.2. 


Requests for Interpretations 


Overview. A request for interpretation (RFI) is means by which manufacturers and VSTLs may 
request the EAC to provide a definitive interpretation of VVSG requirements when, in the course 
of developing or testing a voting system, the meaning of a particular requirement is ambiguous. 
The EAC may self-initiate such a request when its agents identify a need for interpretation within 
the program. An interpretation issued by the EAC serves to clarify what a given standard 
requires and how to properly evaluate compliance. An interpretation does not amend VVSG 
requirements but serves only to clarify existing requirements. Suggestions or requests for 
modifications to the VVSG are provided by other processes. This chapter outlines the 
requirements and procedures for submitting an RFI. 


Requirements for Submitting a Request for Interpretation. An interpretation is limited in scope. 
An RFI must: 

e be submitted by a registered manufacturer or VSTL, 

e request interpretation of an applicable VVSG requirement, 

e present an actual controversy, and 

e seek clarification on a matter of unsettled ambiguity. 


9.2.1. Applicable VVSG Requirements. An RFI is limited to queries regarding requirements 
contained in a version of EAC VVSG to which the EAC currently offers certification. 


9.2.2. Existing Factual Controversy. To submit an RFI, a manufacturer or VSTL must present a 
question relative to a specific voting system or technology proposed for use in a voting 
system. An RFI on hypothetical issues will not be addressed by the EAC, and the EAC will 
not accept an RFI when the issue has previously been clarified. A factual controversy 
exists when an attempt to apply a specific section of the VVSG to a specific system or piece 
of technology creates ambiguity. 


9.2.2.1. Actual Ambiguity. An RFI must contain an actual ambiguity. The interpretation 
process is not a means for challenging a clear VVSG requirement or to recommend 
changes to requirements. An ambiguity arises when one of the following occurs: 
e The language of a requirement or its test assertions is unclear on its face. 


e One requirement or its test assertions seems to contradict another. 

e The language of the requirement or its test assertions, though clear on its 
face, lacks sufficient detail or breadth to determine its proper application to 
a particular technology. 

e The language of a particular requirement or its test assertions, when 


applied to a specific technology, conflicts with the established purpose or 
intent of the requirement. 
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e The language of the requirement or its test assertions is clear, but the 
proper means to assess compliance is unclear. 


9.3. Procedure for Submitting a Request for Interpretation. An RFI must be made in writing to the 
Program Director. EAC interpretations are based upon, and limited to, the facts presented; 
therefore, all requests should be complete and as detailed as possible. Failure to provide complete 
information may result in an interpretation that is non-applicable and ultimately immaterial to 
the issue at hand. The following must be included in an RFI: 


9.3.1. Establish standing to make the request. The written request must provide sufficient 


932, 


9.3.3. 


9.3.4. 


9.5.0. 


information for the Program Director to conclude that the requestor is: 
e aproper requestor, 
e requesting an interpretation of an applicable voting system standard, 
e presenting an actual factual controversy, and 
e seeking clarification on a matter of unsettled ambiguity. 


Identify the VVSG requirement to be clarified. The request must identify the specific 
VVSG requirement or requirement(s) to which the requestor seeks clarification. The 
request must state the version of the VVSG at issue and quote and correctly cite the 
applicable requirement(s). 


State the facts resulting in ambiguity. The request must provide the facts associated with 
the voting system technology that resulted in the ambiguity. The requestor must provide 
all necessary information in a clear, concise manner. Any interpretation issued by the EAC 
must be based on the facts provided. 


Identify the ambiguity. The request must identify the ambiguity it seeks to resolve and 
must: 
e Clearly state a concise question. 


e Be related to, and reference, the voting system standard and voting system technology. 


e Be limited to a single issue. Each question or issue arising from an ambiguous 
requirement or its test assertions must be stated separately. Compound questions are 
unacceptable. If multiple issues exist, they should be presented as individual, 
numbered questions. 


e Be stated in a way that can ultimately be answered yes or no. 
Provide a Proposed Interpretation. An RFI must propose an answer to the question posed. 


The answer must interpret the requirement or its test assertions in the context of the facts 
presented and must provide the basis and reasoning behind the proposed interpretation. 
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9.4. 


9.5. 


9.6. 


EAC Action on an RFI. Upon receipt of an RFI, the Program Director must review the request to 
ensure it is complete, clear, and meets the requirements of Section 9.3. Upon review, the Program 
Director must do one of the following: 


e Request Clarification. If the RFI is incomplete, or additional information is required, the 
Program Director may request the manufacturer or VSTL clarify its RFI and identify any 
additional information required. 


e Reject the Request for Interpretation. If the RFI does not meet the requirements of Section 
9.3, the Program Director may reject it. The rejection must be provided in writing to the 
manufacturer or VSTL and must state the basis for the rejection. 


e Notify Acceptance of the Request. If the RFI is accepted, the Program Director must notify 
the manufacturer or VSTL in writing. An RFI may be accepted in whole or in part and the 
notice of acceptance must state the issues accepted for interpretation. 


The Program Director is responsible for making determinations on an RFI. After this 
determination has been made, a written interpretation must be sent to the manufacturer or VSTL. 
The following actions must be included in the interpretation: 

e The question(s) investigated. 


e The relevant facts that served as the basis of the interpretation. 
e The VVSG requirement(s) interpreted. 

e The conclusion reached. 

e The effect of an interpretation. 


Effect of Interpretation. Interpretations are fact specific and case specific. They are not tools of 
policy, but specific, fact-based guidance useful for resolving a particular problem. Ultimately, an 
interpretation is determinative and conclusive only with regard to the case presented. 
Nevertheless, interpretations do have some value as precedent. Interpretations published by the 
EAC serve as reliable guidance and authority over identical or similar questions of interpretation. 
These interpretations will help users understand and apply the individual requirements of the 
VVSG and will be incorporated into the requirement’s test assertions, where possible. 


Library of Interpretations. To better serve manufacturers, VSTLs, and other stakeholders, the 


Program Director will publish RFIs on www.eac.gov. All proprietary information contained in an 
interpretation must be redacted before publication consistent with Chapter 10 of this manual. 
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10. 


10.1. 


10.2. 


Release of Certification Program Information 


Overview. Manufacturers participating in the program are required to provide the EAC with a 
variety of documents. In general, these documents are releasable to the public and, in many cases, 
the information provided will be published by the EAC. In limited cases, documents may not be 
released if they include trade secrets, confidential commercial information, or personal 
information. While the EAC is ultimately responsible for determining which documents, federal 
law protects from release, manufacturers must identify the information they believe is protected 
and ultimately provide substantiation and a legal basis for withholding. This chapter discusses 
the EAC’s general policy on the release of information and provides manufacturers with 
standards, procedures, and requirements for identifying documents as trade secrets or 
confidential commercial information. 


EAC Policy on the Release of Certification Program Information. The EAC seeks to make its 
Voting System Testing and Certification Program as transparent as possible. The agency believes 
such action benefits the program by increasing public confidence in the process and creating a 
more informed and involved public. As such, it is the policy of the EAC to make all documents, or 
severable portions thereof, available to the public consistent with federal law (e.g. Freedom of 
Information Act and the Trade Secrets Act). 


10.2.1. Requests for Information. As in any federal program, members of the public may request 
access to Program documents under FOIA (5 U.S.C. §552). The EAC must promptly 
process such requests per the requirements of the Act. 


10.2.2. Publication of Documents. Beyond the requirements of FOIA, the EAC intends to publish 
program documents (or portions of documents) it believes are of interest to the public at 
www.eac.gov. The published documents will cover the full spectrum of the program, 
including information pertaining to: 

e registered manufacturers; 
e VSTL test plans; 

e VSTL rest reports; 

e agency decisions; 


e denials of certification; 


e issuance of certifications; 
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e information on a certified voting system’s operation, components, features or 
capabilities; 


¢ appeals; 

e reports of investigation and notice of noncompliance; 
e decertification actions; 

e manufacturing facility review reports; 

e official interpretations ; and 

e other topics as determined by the EAC. 

10.2.3. Trade Secret and Confidential Commercial Information. Federal law places a number of 
restrictions on a federal agency’s authority to release information to the public. Two such 
restrictions are particularly relevant to the program: trade secrets information and 
privileged or confidential commercial information. Both types of information are explicitly 
prohibited from release by the FOJA and the Trade Secrets Act (18 U.S.C. §1905). 

10.3. Trade Secrets. A secret, commercially valuable plan, process, or device used for the making or 
processing of a product and that is the end result of either innovation or substantial effort. It 
relates to the productive process itself, describing how a product is made. It does not relate to 
information describing end product capabilities, features, or performance. The following 
examples illustrate productive processes that may be trade secrets: 

e Plans, schematics, and other drawings useful in production. 


e Specifications of materials used in production. 


e Voting system source code used to develop or manufacture software where release would 
reveal actual programming. 


e Technical descriptions of manufacturing processes and other secret information relating 
directly to the production process. 


The following examples are likely not trade secrets: 
e Information pertaining to a finished product's capabilities or features. 
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e Information pertaining to a finished product’s performance. 


e Information regarding product components that would not reveal any commercially 


valuable information regarding production. 


10.4. Privileged or Confidential Commercial Information. Privileged or confidential commercial 
information is information submitted by a manufacturer that is commercial or financial in nature 


10.5. 


and privileged or confidential. 


10.4.1. 


10.4.2. 


Commercial or Financial Information. The terms “commercial” and “financial” should be 
given their ordinary meanings. They include records in which a submitting manufacturer 
has any commercial interest. 


Privileged or Confidential Information. Commercial or financial information is privileged 
or confidential if its disclosure would likely cause substantial harm to the competitive 
position of the submitter. The concept of harm to one’s competitive position focuses on 
harm flowing from a competitor’s affirmative use of the proprietary information. It does 
not include incidental harm associated with upset customers or employees. 


EAC’s Responsibilities. The EAC is ultimately responsible for determining whether or not a 
document (in whole or in part) may be released pursuant to federal law. However, the EAC may 
require information and input from the manufacturer submitting the documents. This 
requirement is essential for the EAC to identify, track, and make determinations on the large 
volume of documentation it receives. The EAC has the following responsibilities: 


103.15 


105.2. 


Managing Documentation and Information. The EAC controls the documentation it 
receives by ensuring that documents are secure and released to third parties only after the 
appropriate review and determination. 


Contacting Manufacturer on Proposed Release of Potentially Protected Documents. In the 
event a member of the public submits a FOJA request for documents provided by a 
manufacturer or the EAC otherwise proposes the release of such documents, the EAC 
must take the following action: 


e Review the documents to determine if they are potentially protected from release as 
trade secrets or confidential commercial information. The documents at issue may 
have been previously identified as protected by the manufacturer when submitted 
(see Section 10.7.1 below) or identified by the EAC on review. 


e Grant the submitting manufacturer an opportunity to provide input. In the event the 


information has been identified as potentially protected from release as a trade secret 
or confidential commercial information, the EAC must notify the submitter and 
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10.6. 


allow them an opportunity to submit their position on the issue prior to release of 
the information. The submitter must respond consistent with Section 10.7.1 below. 


10.5.3. Final Determination on Release. After providing the submitter of the information an 
opportunity to be heard, the EAC will make a final decision on release and inform the 
submitter of this decision. 


Manufacturer’s Responsibilities. The manufacturer is responsible for identifying documents, or 
portions of documents, it believes warrant such protection, and is responsible for providing the 
legal basis and substantiation for their determination regarding the withholding of a document. 
This responsibility arises upon the initial submission of information and upon notification by the 
EAC that it is considering the release of potentially protected information. 


10.6.1. Initial Submission of Information. When a manufacturer submits documents to the EAC as 
required by the program, it is responsible for identifying any document or portion of a 
document that it believes is protected from release by federal law. Manufacturers must 
identify protected information by the following: 


10.6.1.1. Submitting a Notice of Protected Information. This notice must identify the document, 
document page, or portion of a page that the manufacturer believes should be 
protected from release. This identification must be done with specificity. For each 
piece of information identified, the manufacturer must state the legal basis for its 
protected status. 
e Cite the applicable law that exempts the information from release. 


e Clearly discuss why that legal authority applies and why the document 
must be protected from release. 


e If necessary, provide additional documentation or information. For 
example, if the manufacturer claims a document contains confidential 
commercial information, it must also provide evidence and analysis of the 
competitive harm that would result upon release. 


10.6.1.2. Label Submissions. Label all submissions identified in the notice as “Proprietary 
Commercial Information.” Label only those submissions identified as protected. 
Attempts to indiscriminately label all materials as proprietary render the markings 
moot. 


10.6.2. Notification of Potential Release. In the event a manufacturer is notified that the EAC is 
considering the release of information that may be protected, the manufacturer must: 


10.6.2.1. Respond to the notice within 10 business days. If additional time is needed, the 
manufacturer must promptly notify the Program Director. Requests for additional 
time may be granted only for good cause and must be made before the deadline. 
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Manufacturers that do not respond before the deadline will be viewed as not 
objecting to release. 


10.6.2.2. Clearly state one of the following in the response: 
e There is no objection to release, or 


e The manufacturer objects to release. In this case, the response must clearly 
state which portions of the document the manufacturer believes should be 
protected from release. The manufacturer must follow the procedures 
discussed in Section 10.7.1. 


10.7. Personal Information. Certain personal information is protected from release under FOIA and 
the Privacy Act (5 U.S.C. §552a). This information includes private information about a person 
that, if released, would cause the individual embarrassment or constitute an unwarranted 
invasion of personal privacy. The EAC does not require the submission of private, individual 
information and the incidental submission of such information should be avoided. If a 
manufacturer believes it is required to submit such information, it should contact the Program 
Director. Examples of such information include: 

e Social security number 


e Bank account numbers 
e Home address 


e Home phone number 
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Appendix A - Glossary 
Definitions. For purposes of this manual, the terms listed below have the following definitions. 
Appeal. A formal process by which the EAC is petitioned to reconsider a decision. 


Appeal Authority. The individual or individuals appointed to serve as the determination authority 
on appeal. 


Build Environment. The disk or other media that holds the source code, compiler, linker, 
integrated development environments (IDE), and/or other necessary files for the compilation and 
on which the compiler stores the resulting executable code. 


Certificate of Conformance. The certificate issued by the EAC when a system has been found to 
meet the requirements of the VVSG. This document indicates that the system has been certified. 


Certification Program. The EAC Voting System Testing and Certification Program. 


Commercial Off-the-Shelf (COTS). Any software, firmware, device or component that is used in 
the United States by many different people or organizations for many different applications other 
than certified voting systems and that is incorporated into the voting system with no manufacturer- 
or application-specific modification. 


Commission (EAC). The U.S. Election Assistance Commission, as an agency. 


Commissioners. The serving commissioners of the U.S. Election Assistance Commission. 


Compiler. A computer program that translates programs expressed in a high-level language into 
machine language equivalents. 


Component. An identifiable and discrete part of the larger voting system essential to the operation 
of the voting system, and an immediate subset of the system to which it belongs. 


Days. The term days refers to calendar days, unless otherwise noted. When counting days, for the 
purpose of submitting or receiving a document, the count begins on the first full calendar day after 
the day the document was received. 


Decision Authority. The EAC Executive Director or Executive Director’s designee. 


Deficiency. A deficiency is considered a non-conformity to the voting standard to which the voting 
system is being certified. 
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Election Official. A State or local government employee who has as one of his or her primary 
duties the management or administration of a Federal election. 


Federal Election. Any primary, general, runoff, or special election in which a candidate for Federal 
office (President, Senator, or Representative) appears on the ballot. In addition, for the purposes of 
this manual, the term includes any and all Pre-Election Testing and Post-Election Testing and/or 
auditing done in conjunction with any primary, general, runoff, or special election involving a 
candidate for Federal office. 


Fielded Voting System. A voting system purchased or leased by a State or local government that is 
used in a Federal election. 


File Signature. A file signature, sometimes called a cryptographic hash value, creates a value that is 
computationally infeasible of being produced by two similar but different files. File signatures, a set 
of files produced using a hash algorithm, are used to verify that files are unmodified from their 
original version. 


Hash Algorithm. An algorithm that maps a bit string of arbitrary length to a shorter, fixed- length 
bit string. The hash algorithm used for this Program is the Secure Hash Algorithm (SHA-2) 
specified in Federal Information Processing Standard (FIPS) 180-4. 


Installation Device. A device containing program files, software, and installation instructions for 
installing an application (program) onto a computer. Examples of such devices include installation 
disks, compact flash memory cards, and USB memory drives. 


Integration Testing. The end-to-end testing of a full system configured for use in an election to 
assure that all legitimate configurations meet applicable standards. 


Lines of Code. Any executable statements, flow control statements, formatting (e.g., blank lines) 
and comments. 


Linker. A computer program that takes one or more objects generated by compilers and assembles 
them into a single executable program. 


Management Representative. An individual authorized to represent and make binding 
commitments and management determinations for the manufacturer. 


Manufacturer. The entity with ownership and control over a voting system submitted for 
certification. 


Manufacturing Facility. A manufacturing facility that provides: 
e final system configuration and loading of programs for customer delivery, 
e manufacturing of component units of the voting system, and 
e manufacturing of major sub-assemblies of the voting system. 
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Mark of Certification. A uniform notice permanently posted on a voting system signifying it is 
EAC-certified. 


Minor Change Order. A minor change order is a change to a certified voting system’s hardware, 
software, technical data package, or data, the nature of which does not materially alter the system’s 
reliability, functionality, capability, or operation. Any changes made to a system under test results 
in the manufacturer supplying a list and detailed description of all changes. 


Modification. Any change to a previously EAC-certified voting system’s hardware, software, or 
firmware that is not classified as a minor change order or new system. 


Program Director. The individual responsible for administering and managing the Testing and 
Certification Program. In the event of a vacancy in this position, the EAC Executive Director will 
designate staff to temporarily assume these duties. 


Proprietary Information. Commercial information or trade secrets protected from release under the 
Freedom of Information Act and the Trade Secrets Act. 


Scope of Certification. A document attached to the Certificate of Conformance. The scope of 
certification describes the system and includes, but is not limited to, the following: 

e Asystem overview that briefly describes each major component of the system. It includes a 
high-level system diagram showing these components and how they relate and interact in 
each configuration. 

e Languages supported by the system. 

e Inthe event of a modification, a description of the change(s) made to each component of the 
system. 

e Proprietary components, including hardware and software included in the system. This will 
detail the model name/number and version. 

e COTS components, including software and hardware, included in the system. This will 
detail the model name/number and version. 

e The system and component limitations and capacities that the system has been tested and 
certified to meet. 

e The declared supported functionality of the system. 

e All engineering change orders certified with the system. 


Sub-assembly. A major functional piece of equipment essential to the operational completeness of 
a component of a voting system. Examples of major sub-assemblies for voting systems include, but 
are not limited to: 

e Printers 

e Touch screen terminals 

e Scanners/Tabulators 

e Card readers 

e Ballot boxes 
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e Keyboards 

e Memory modules, USB drives, and other portable memory devices 

e External data storage devices, external hard drives, etc. 

e Motherboards, processor board and other PWB assemblies, when supplied separately from 
a complete unit 


System Identification Tools. Tools created by a manufacturer of voting systems which allow 
elections officials to verify that the hardware and software of systems purchased are identical to the 
systems certified by the EAC. 


Technical Representative. An individual authorized to provide technical information on behalf of 
the manufacturer 


Trusted Build. A software compilation process where source code is converted into machine- 
readable binary instructions (executable code) in a manner providing security measures which help 
ensure that the executable code is a verifiable and faithful representation of the source code. 


Voting System. The total combination of mechanical, electromechanical, and electronic equipment 
(including the software, firmware, and documentation required to program, control, and support 
the equipment) used to define ballots; cast and count votes; report or display election results; 
connect the voting system to the voter registration system; and maintain and produce any audit 
trail information. 


Voting System Test Laboratories (VSTL). Independent testing laboratories accredited by the EAC 
to test voting systems to EAC-approved voting system standards. Each VSTL must be accredited by 
NVLAP) and recommended by the NIST before it may receive an EAC accreditation. NVLAP 
provides third party accreditation to testing and calibration laboratories. NVLAP is in full 
conformance with the standards of the International Organization for Standardization (ISO) and the 
International Electrotechnical Commission (IEC), including ISO/IEC Guide 17025 and 17011. 


Voluntary Voting System Guidelines (VVSG). Voluntary voting system guidelines developed, 
adopted, and published by the EAC. The guidelines are identified by version number and date. 
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Appendix B — Voting System Test Plan Outline 


This outline is provided solely as an aid to test plan development. Note that these items may change 
significantly, depending on the specific project planned. 


1 Introduction 
1.1 References 


1.2 Terms and Abbreviations 
1.3 Testing Responsibilities 
1.3.1 Project schedule with 
1.3.1.1 Owner assignments 
1.3.1.2 Test case development 
1.3.1.3 Test procedure development and validation 
1.3.1.4 3rd party tests 
1.3.1.5 EAC and manufacturer dependencies 
1.4 Target of Evaluation Description 
1.4.1 System Overview 
1.4.2 Block diagram 
1.4.3. System Limits 
1.4.4 Supported Languages 
1.4.5 Supported Functionality 
1.4.5.1 Standard VVSG Functionality 


1.4.5.2 Manufacturer Extensions 


2 Pre-Certification Testing and Issues 
2.1 Evaluation of prior VSTL testing 


2.1.1 Reason for testing and results, listing of modifications from the previous system 
to the system to be tested 


2.2 Evaluation of prior non-VSTL testing 
2.2.1 Reason for testing and results, states, other 3rd party entities 
2.3 Known Field Issues 


2.3.1 Listing of relevant issues uncovered during field operations 


3 Materials Required for Testing 
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3.1 Software 


3.2 Equipment 


3.3 Test Materials 
3.4 Deliverable Materials 


4 Test Specifications 


4.1 Requirements 


4.1.1 
4.1.2 


Mapping of requirements to equipment type and features 


Rationale for why some requirements are not applicable for this campaign 


4.2 Hardware Configuration and Design 


4.3 Software System Functions 


4.4 Test Case Design 


4.4.1 


4.4.2 
4.4.3 
4.4.4 
4.4.5 


Hardware Qualitative Examination Design 

4.4.1.1 Mapping of requirements to specific interfaces 
Hardware Environmental Test Case Design 

Software Module Test Case Design and Data 
Software Functional Test Case Design and Data 


System-level Test Case Design 


4.5 Security functions 
4.6 TDP evaluation 


4.7 Source Code review 


4.8 QA & CM system review 


5 Test Data 


5.1 Data Recording 


5.2 Test Data Criteria 


5.3 Test Data Reduction 


6 Test Procedure and Conditions 


6.1 Facility Requirements 


6.2 Test Set-up 


6.3 Test Sequence 


7 Test Operations Procedures 
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Appendix C - Voting System Modification Test Plan Outline 


Test plans submitted for modifications to previously EAC-certified voting systems should be brief and 
structured to minimize test plan development and review, while enabling the EAC to maintain solid 
control of the certification process. The test plan must concisely document the strategy and plan for 
testing those sections of the VVSG applicable to the modification or modifications submitted. The test 
plan must be written with clarity that all constituents can understand what testing will be conducted, 
to verify compliance to VVSG requirements, and to assure that the test plan will remain a living 
document throughout the life of the test campaign for the modification. 


This outline is provided solely as an aid to test plan development. Note that these items may change 
significantly, depending on the specific project planned. 


1. Introduction 
1.1 Description and Overview of EAC-certified system being modified 
1.1.1 Complete definition of the baseline certified system. 


1.1.2 Detailed description of the engineering changes and/or modifications to the certified 
system and why the modification was implemented. 


1.1.3 An initial assessment of the impact that the modifications have on the system and 
past certification. 


1.1.4 Description of what will be regression tested to establish assurance that the 
modifications have no adverse impact on the compliance, integrity or performance of the 
system. 


1.2 References 

1.3 Terms and Abbreviations 

1.4 Project Schedule 

1.5 Scope of testing 
1.5.1 Block diagram (if applicable) 
1.5.2 System limits (if applicable) 
1.5.3 Supported Languages 
1.5.4 Supported Functionality 
1.5.5 VVSG 
1.5.6 RFIs 
1.5.7 NOCs 


2. Pre-Certification Testing and Issues 
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2.1 Evaluation of prior VSTL testing 
2.2 Evaluation of prior non-VSTL testing (if applicable) 
2.3 Known Field Issues (if applicable) 


3. Materials Required for Testing 
3.1 Software 


3.2 Equipment 


3.3 Test Materials 
3.4 Deliverables 


3.5 Proprietary Data 


4. Test Specifications 


4.1 Requirements 
4.1.1 Mapping of requirements to equipment type and features 
4.1.2 Rationale for why some requirements are NA for this campaign 

4.2 Hardware Configuration and Design (if applicable) 

4.3 Software System Functions (if applicable) 

4.4 Test Case Design 
4.4.1 Hardware Qualitative Examination Design (if applicable) 
4.4.2 Hardware Environmental Test Case Design (if applicable) 
4.4.3 Software Module Test Case Design and Data (if applicable) 
4.4.4 Software Functional Test Case Design and Data (if applicable) 
4.4.5 System-level Test Case Design 

4.5 Security functions (if applicable) 

4.6 TDP evaluation 

4.7 Source Code review (if applicable) 

4.8 QA & CM system review 


5. Test Data 
5.1 Test Data Recording 


5.2 Test Data Criteria 


6. Test Procedure and Conditions 
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6.1 Test Facilities 


6.2 Test Set-up 
6.3 Test Sequence 


6.4 Test Operations Procedure 
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Appendix D - Voting System Test Report Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this 
format may be used upon prior written approval of the Program Director. 
1. System Identification and Overview 
2. Certification Test Background 
2.1 Revision History 
2.2 Implementation Statement 
3. Test Findings and Recommendation 
3.1 Summary Finding and Recommendation 
3.2 Reasons for Recommendation to Reject 
3.3 Anomalies 
3.4 Correction of Deficiencies 
Appendix A. Additional Findings 
Appendix B. Warrant of Accepting Change Control Responsibility 
Appendix C. Trusted Build 
Appendix D. Test Plan 
Appendix E. State Test Reports 
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Appendix E — Voting System Modification Test Report Outline 


Test Reports produced by VSTLs must follow the format outlined below. Deviations from this format 
may be used upon prior written approval of the Program Director. 


1. Introduction 
1.1 Description of EAC-certified system being modified 
1.2 References 


1.3Terms and Abbreviations 


2. Certification Test Background 
2.1 Revision History 


2.2 Scope of testing 

2.2.1 Modification Overview 
2.2.1.1 Detailed list of changes 

2.2.2 Block diagram (if applicable) 

2.2.3 Supported Languages 

2.2.4 VVSG 

2.2.5 RFIs 

2.2.6 NOCs 


3. Test Findings and Recommendation 


3.1 Summary Finding and Recommendation 
3.1.1 Hardware Testing 
3.1.2 System Level Testing 
3.1.3 Source code review 

3.2 Anomalies and Resolutions 

3.3 Deficiencies and Resolutions 


4. Recommendation for Certification 


Appendix A. Additional Findings 
Appendix B. Deficiency report (if applicable) 
Appendix C. Anomaly report (if applicable) 
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Appendix D. Test Plan 
Appendix E. State Test Reports (if applicable) 
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Appendix F - Pilot Program for Component Testing 


Introduction 

VVSG 2.0 introduces the principle of interoperability and defines requirements for voting systems to 
adhere to common data formats (CDFs) defined by NIST. The CDFs may, for the first time, allow 
existing or specialty component manufacturers to create novel devices that can be integrated into 
certified voting systems without needing to process data from proprietary interchange formats. The 
EAC is introducing a component testing pilot program to evaluate the feasibility of these types of 
integrations while maintaining the security, accuracy, and integrity of certified voting systems. 


The component testing pilot program proposes additions to the EAC’s Testing and Certification 
Program that will allow election officials to acquire solutions that meet their needs without the 
requirement for a single voting system manufacturer to provide all functionality. Manufacturers will be 
able to focus their resources on creating best in breed components that reflect their strengths. 


Pilot Program 

The EAC will conduct a voluntary pilot program to test and certify voting system components outside 
of the context of full voting system certification. Testing will be conducted by EAC-accredited VSTLs 
and the program has the following goals: 


1. Develop a process to conduct integration testing of voting system components from different 
manufacturers. 


2. Validate that the CDFs are functioning as intended. 


3. Develop processes to document the addition of components from different manufacturers to a 
certified voting system configuration. 


4. Develop new guidelines for inclusion in future updates to the Testing and Certification program. 


Manufacturers wishing to participate in the component testing pilot program must register with the 
EAC’s Testing and Certification Program as defined in Chapter 2 of this manual. Additionally, the 
manufacturer must identify specific EAC-certified voting system(s) against which the component 
should be evaluated. Finally, the manufacturer should submit a certification application, to the extent 
possible, as defined in Chapter 3 of this manual. 


Submitted components should be discrete or stand-alone components that only require information 


available through the CDFs. Full or partial voting systems (multiple components) will not be 
considered as part of this pilot program. 
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